LizardStresser Botnet Abuses IoT Devices in 400Gbps Attack
LizardStresser, a distributed denial of service (DDoS) botnet that inspired many cybercrime groups to create their own botnets, was recently used in attacks as large as 400 gigabits per second (Gbps) that leverage the power of IoT devices, Arbor Networks researchers reveal.
Written in C and designed to run on Linux, the botnet malware has had its source code leaked online in early 2015, which inspired DDoS actors to build their own botnets. More recently, however, researchers noticed that the number of unique LizardStresser command and control (C&C) servers has grown, and that actors behind the botnet have been targeting Internet of Things (IoT) devices using default passwords.
Similar to other botnets, LizardStresser relies on a large number of hosts that connect to a C&C server to conduct malicious activities. The botnet can be used to launch DDoS attacks using a variety of attack methods: HOLD – holds open TCP connections; JUNK – send a random string of junk characters to a TCP port; UDP – send a random string of junk characters to a UDP port; TCP – repeatedly send TCP packets with the specified flags.
The LizardStresser bots also have a mechanism to run arbitrary shell commands, which allows operators to update the list of C&C servers or to download new malware to them. Since the beginning of this year, Arbor Networks researchers have observed an increase in the unique number of C&C servers the botnet connects to: they are now in excess of a hundred.
What’s more, researchers observed that the increase was accompanied by a surge in real-world attacks that match the LizardStresser network signature and that the botnet also started using IoT devices as bots in a number of attacks. Earlier this week, Sucuri researchers also revealed that tens of thousands of compromised CCTV devices have been leveraged in DDoS attacks.
Given that passwords are often shared amongst entire IoT device classes, LizardStresser uses its telnet brute-forcing capability to login to random IP addresses with a specific list of usernames and passwords in an attempt to compromise devices.
IoT devices can prove ideal for DDoS bots for various reasons, starting with the fact that they typically run embedded versions of the Linux operating system, which also means that they lack in security. These devices usually enjoy full access to Internet, with no bandwidth limitations or filtering, and can be easily compromised because manufacturers often re-use portions of hardware and software in different classes of devices, including default passwords.
Researchers observed that two LizardStresser C&C servers possibly operated by the same threat actor were used in attacks against two large Brazilian banks, two Brazilian telecoms, two Brazilian government agencies, and three large gaming companies based in the US. One of these attacks spiked at over 400 Gbps from several thousand source addresses, and didn’t appear to use amplification protocols.
The attackers were also observed switching from HOLD flood to UDP flooding and TCP flooding to ensure maximum impact, while the attack sources were located primarily in Vietnam and Brazil, but also scattered around the world. Further analysis of these sources revealed that a HTTP “GET /” to TCP port 80, resulted in the host responding with a HTML title of “NETSurveillance WEB” in 90 percent of the cases, and researchers linked this response to various Internet-accessible webcams.
“A default password for the root user is available online, and telnet is enabled by default. We believe the threat actors customized the LizardStresser brute-force code to use this published, but under-utilized default password for IoT devices based on the NETSurveillance code,” Arbor Networks researchers explain.
While the publicly available version of LizardStresser generates IP addresses to brute-force randomly, researchers believe that the threat actor might have modified the code to target specific geographies instead. Additionally, there is the possibility that Vietnam and Brazil are the countries where most of the IoT devices running the NETSurveillance code are located.
According to Arbor Networsk, “LizardStresser is becoming the botnet-du-jour for IoT devices” because attackers can easily make minor tweaks to telnet scanning and add new hosts to the botnet with minimal research into default passwords. What’s more, these IoT devices can be abused to fuel DDoS attacks upwards of 400Gbps without using reflection/amplification.