Engineering:BASHLITE
| Technical name | As BashLite
As Gafgyt
As QBot
As PinkSlip
|
|---|---|
| Aliases | Gafgyt, Lizkebab, PinkSlip, Qbot, Torlus, LizardStresser |
| Type | Botnet |
| Author(s) | Lizard Squad |
| Operating system(s) affected | Linux |
| Written in | C |
BASHLITE (also known as Gafgyt, Lizkebab, PinkSlip, Qbot, Torlus and LizardStresser) is malware which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS).[1] Originally it was also known under the name Bashdoor,[2] but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.[3]
The original version in 2014 exploited a flaw in the bash shell - the Shellshock software bug - to exploit devices running BusyBox.[4][5][6][7] A few months later a variant was detected that could also infect other vulnerable devices in the local network.[8] In 2015 its source code was leaked, causing a proliferation of different variants,[9] and by 2016 it was reported that one million devices have been infected.[10][11][12][13]
Of the identifiable devices participating in these botnets in August 2016 almost 96 percent were IoT devices (of which 95 percent were cameras and DVRs), roughly 4 percent were home routers - and less than 1 percent were compromised Linux servers.[9]
Design
BASHLITE is written in C, and designed to easily cross-compile to various computer architectures.[9]
Exact capabilities differ between variants, but the most common features[9] generate several different types of DDoS attacks: it can hold open TCP connections, send a random string of junk characters to a TCP or a UDP port, or repeatedly send TCP packets with specified flags. They may also have a mechanism to run arbitrary shell commands on the infected machine. There are no facilities for reflected or amplification attacks.
BASHLITE uses a client–server model for command and control. The protocol used for communication is essentially a lightweight version of Internet Relay Chat (IRC).[14] Even though it supports multiple command and control servers, most variants only have a single command and control IP-address hardcoded.
It propagates via brute forcing, using a built-in dictionary of common usernames and passwords. The malware connects to random IP addresses and attempts to login, with successful logins reported back to the command and control server.
See also
- Denial-of-service attack (DoS)
- Fork bomb
- Hajime (malware)
- LOIC
- High Orbit Ion Cannon – the replacement for LOIC used in DDoS attacks
- Low Orbit Ion Cannon – a stress test tool that has been used for DDoS attacks
- Mirai (malware)
- ReDoS
- Slowloris (computer security)
References
- ↑ Cimpanu, Catalin (30 August 2016). "There's a 120,000-Strong IoT DDoS Botnet Lurking Around". http://news.Softpedia.com/news/there-s-a-120-000-strong-iot-ddos-botnet-lurking-around-507773.shtml. Retrieved 19 October 2016.
- ↑ Tung, Liam (25 September 2014). "First attacks using shellshock Bash bug discovered". http://www.zdnet.com/article/first-attacks-using-shellshock-bash-bug-discovered/. Retrieved 25 September 2014.
- ↑ Ashford, Warwick (30 June 2016). "LizardStresser IoT botnet launches 400Gbps DDoS attack". http://www.computerweekly.com/news/450299445/LizardStresser-IoT-botnet-launches-400Gbps-DDoS-attack. Retrieved 21 October 2016.
- ↑ Kovacs, Eduard (14 November 2014). "BASHLITE Malware Uses ShellShock to Hijack Devices Running BusyBox". http://www.securityweek.com/bashlite-malware-uses-shellshock-hijack-devices-running-busybox. Retrieved 21 October 2016.
- ↑ Khandelwal, Swati (November 17, 2014). "BASHLITE Malware leverages ShellShock Bug to Hijack Devices Running BusyBox". http://thehackernews.com/2014/11/bashlite-malware-leverages-shellshock.html. Retrieved 21 October 2016.
- ↑ Paganini, Pierluigi (16 November 2014). "A new BASHLITE variant infects devices running BusyBox". http://securityaffairs.co/wordpress/30225/cyber-crime/bashlite-exploits-shellshock.html. Retrieved 21 October 2016.
- ↑ "Bash Vulnerability (Shellshock) Exploit Emerges in the Wild, Leads to BASHLITE Malware". 25 September 2014. http://blog.trendmicro.com/trendlabs-security-intelligence/bash-vulnerability-shellshock-exploit-emerges-in-the-wild-leads-to-flooder/. Retrieved 19 March 2017.
- ↑ Inocencio, Rhena (13 November 2014). "BASHLITE Affects Devices Running on BusyBox". http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/. Retrieved 21 October 2016.
- ↑ 9.0 9.1 9.2 9.3 "Attack of Things!". 25 August 2016. http://blog.level3.com/security/attack-of-things/. Retrieved 6 November 2016.
- ↑ "BASHLITE malware turning millions of Linux Based IoT Devices into DDoS botnet". Full Circle. 4 September 2016. http://fullcirclemagazine.org/2016/09/04/bashlite-malware-turning-millions-of-linux-based-iot-devices-into-ddos-botnet/. Retrieved 21 October 2016.
- ↑ Masters, Greg (31 August 2016). "Millions of IoT devices enlisted into DDoS bots with Bashlite malware". SC Magazine. http://www.scmagazine.com/millions-of-iot-devices-enlisted-into-ddos-bots-with-bashlite-malware/article/519741/. Retrieved 21 October 2016.
- ↑ Spring, Tom (30 August 2016). "BASHLITE Family of Malware Infects 1 Million IoT Devices". https://threatpost.com/bashlite-family-of-malware-infects-1-million-iot-devices/120230/. Retrieved 21 October 2016.
- ↑ Kovacs, Eduard (31 August 2016). "BASHLITE Botnets Ensnare 1 Million IoT Devices". http://www.securityweek.com/bashlite-botnets-ensnare-1-million-iot-devices. Retrieved 21 October 2016.
- ↑ Bing, Matthew (29 June 2016). "The Lizard Brain of LizardStresser". https://www.arbornetworks.com/blog/asert/lizard-brain-lizardstresser/. Retrieved 6 November 2016.
 |
