One million IoT devices infected by Bashlite malware-driven DDoS botnet

A new DDoS botnet, powered by the Bashlite malware has been uncovered by security researchers, primarily using vulnerable IoT (Internet of Things) devices. According to Level 3 Threat Research Labs, the Bashlite malware family, also known as Lizkebab, Torlus and Gafgyt is responsible for the rise of a million-endpoint botnets conducting DDoS attacks.

Security researchers said the Bashlite malware's source code was first leaked in early 2015, after which cybercriminals have developed several variants of the malware. "Of the bots we've observed participating in attacks, peaking at more than one million devices, a large percentage are located in Taiwan, Brazil and Colombia," the researchers said.

The bots were also found to be using DVRs manufactured by Dahua Technology, Beijing-based international video surveillance provider. Researchers said they had notified the firm of the issue, which is currently developing a patch for the flaw and is expected to deploy it soon.

"The impacts of these botnets can affect anyone on the internet, not just the IoT device owners. DDoS victims of these botnets are mostly residential users, which is consistent with booter service clientele. We also see many popular gaming platforms and sites being attacked, which is typical of the public claims made by multiple well-known DDoS groups," the researchers noted. "After the attacker has gained access to the device, their tools do not bother to identify the architecture of the device they have compromised. Instead, they immediately execute both the "busybox wget" and "wget" commands to retrieve their DDoS bot payloads. Then they attempt to run multiple versions of the malware compiled for different architectures (as many as 12), until one executes."

"This research shocked us," said Dale Drew, chief security officer at Level 3 Communications. "We picked fairly well-known and average botnets and challenged ourselves to find as many interesting things as we could. At a high level we were surprised. When we looked at Bashlite malware, for example, we found it was tied to botnets far more organised and structured than we had previously thought," Threatpost reported.

Botnet functions

According to Level 3 researchers, the botnet grows by scanning for vulnerable devices, in efforts to infect systems with the malware. The bots use one of two prevailing scanning techniques. "The first instructs bots to port scan for telnet servers and attempts to brute force the username and password to gain access to the device. The other model, which is becoming increasingly common, uses external scanners to find and harvest new bots, in some cases scanning from the C2 servers themselves," the researchers said.

Researchers also said that since Bashlite's source code was leaked, they have observed numerous threat actors come up with a "variety of implementations". They cautioned of the high likelihood of further evolutions to "the infection vectors, scanning methods and overall sophistication" of such operations.

Command and control

Level 3 researchers working in collaboration with Flashpoint, which has been tracking over 200 C&C (command and control) servers connected to the Bashlite family, discovered that IP addresses for the malware's C&C servers are hard-coded into the malware, thereby often displaying only a single IP address.

"This is in contrast with more sophisticated malware, which utilises a variety of techniques to provide higher resiliency, and leaves this botnet no immediate defence against takedowns. This does not appear to be a concern for these bot herders, as it is easy to create a new C2 and re-compromise their bots. Despite this overall lack of sophistication, many of these botnets are capable of producing powerful attacks. Level 3 Threat Research Labs has seen attacks as large as hundreds of gigabits per second launched from these botnets," the researchers said.

Researchers also noted that the size and scope of the attacks conducted keep varying.

Rise of the IoT botnets

This is not the first time that DDoS botnets have been observed using flaw-ridden IoT devices to launch attacks. In July, hackers using the LizardStresser botnet launched large-scale DDoS attacks via hijacked IoT devices.

"The Internet of Things presents a clear weak spot for an increasing number of information security organisations," said Tim Erlin, director of IT security and risk strategy for Tripwire. The cybersecurity firm recently release a survey on the security risks associated with IoT devices.

"It wasn't so long ago that home computer 'zombie armies' were the weapon of choice for a lot of cyberattacks and denial of service attacks," said Dwayne Melancon, Tripwire's chief technology officer and vice president of research and development.

"It seems that security professionals see IoT devices as a sort of 'zombie appliance army' that's worthy of great concern. That makes sense, since many of the current crop of IoT devices were created with low cost as a priority over security, making them easy targets. The large number of easily compromised devices will require a new approach if we are to secure our critical networks. Organisations must respond with low-cost, automated and highly resilient methods to successfully manage the security risk of these devices at scale."