LizardStresser, a “DDoS” for hire botnet, has been given a new lease of life thanks to the emergence of Internet of Things (IoT) and connected home devices, researchers say.
The distributed denial-of-service tool, created by the Lizard Squad group, has been used in attacks against targets ranging from online media publications to government agencies.
Botnets are systems based on controllers and compromised ‘slave’ systems which are commanded to flood online domains with traffic, most often used to disrupt these services in distributed denial-of-service (DDoS) attacks.
In 2015, the source code of the botnet was released to the public, leading to would-be cyberattackers alongside established threat actors seizing the opportunity to build their own botnets based on the LizardStresser framework.
Researchers from Arbor Networks’ ASERT group have been monitoring activity concerning the botnet and have found the number of unique LizardStresser command-and-control (C&C) servers have been “steadily” increasing this year.
However, the main cause of concern is that some threat actors behind LizardStresser botnets have been targeting IoT to strengthen their creators.
IoT devices, such as Wi-Fi-enabled cameras, surveillance systems, lighting and even fridges, are becoming popular additions to our homes, but unfortunately, security is not usually a top priority for vendors.
In a blog post, the research team said:
“Utilizing the cumulative bandwidth available to these IOT devices, one group of threat actors has been able to launch attacks as large as 400Gbps targeting gaming sites worldwide, Brazilian financial institutions, ISPs, and government institutions.”
The botnet, written in C and designed for Linux systems, is very simple to compile, run and tweak for architecture including x86, ARM, and MIPS, which are common platforms for connected devices. The versions targeting IoT products use telnet brute-force to attempt to login to random IP addresses with a hard-coded list of user credentials, which as the search engine Shodan highlights, are commonly available.
If you have an IoT device which either does not allow you to change hard-coded default credentials or you have not changed these details yourself, the device is at risk of becoming a botnet slave.
“In the case of DDoS malware, the value of a victim is how much bandwidth of attack traffic it can generate,” Arbor says. “If a machine is already compromised, it’s bandwidth is likely being utilized. The threat actor can attempt to evict competing malware, but this takes time and effort.”
The ASERT team has been tracking two LizardStresser botnets in particular. Believed to be the handiwork of a single group, their main focus is on Brazilian targets and gaming services.
The botnets launched attacks against multiple targets this year — with one attack spiking at over 400Gbps from several thousand source addresses.
Two large Brazilian banks, two Brazilian telecommunications providers, two Brazilian government agencies and three large gaming companies in the United States have become the victims of DDoS attacks so far.
The traffic mainly came from Vietnam and Brazil, although other sources from compromised systems are scattered worldwide.
The team realized that almost 90 percent of the hosts involved in the slave network had an HTML title of “NETSurveillance WEB,” which is generic code used by webcams with Internet access — and not only are default credentials online, but telnet is enabled by default.
“With minimal research into IOT device default passwords, they are able to enlist an exclusive group of victims into their botnets,” the team says. “Arbor has observed LizardStresser C2’s issue attack commands to IoT devices and a resultant DDoS attack upwards of 400Gbps without using reflection/amplification, a notable feat fueled by an arcane piece of information.”
In 2015, six teenagers were accused of using LizardStresser in attacks against newspapers, gaming companies and online retailers.