BASHLITE

BASHLITE
Original author(s) Lizard Squad
Written in C
Operating system Linux
Type Botnet

BASHLITE (also known as Gafgyt, Lizkebab, Torlus and LizardStresser) is malware which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS).[1] It can launch attacks of up to 400 Gbps.[2]

In 2014 BASHLITE exploited the Shellshock software bug to exploit devices running BusyBox.[3][4][5][6] In 2015 its source code was leaked, causing a proliferation of different variants.[7] In 2016 it was reported that one million devices have been infected with BASHLITE.[8][9][10][11] Of the identifiable devices participating in these botnets in August 2016, almost 96 percent were IoT devices (of which 95 percent were cameras and DVRs), roughly 4 percent were home routers and less than 1 percent were compromised Linux servers.[7]

Design

BASHLITE is written in C, designed to easily cross-compile to various architecture.[7]

It uses a client–server model for command and control. The protocol used for communication is essentially a lightweight version of Internet Relay Chat (IRC).[12] Even though it supports multiple command and control servers, most variants only have a single command and control IP-address hardcoded.

BASHLITE's exact capabilities differ between variants. Described below are the most common features.[7]

BASHLITE can generate several different types of DDoS attacks: it can hold open TCP connections, send a random string of junk characters to a TCP or a UDP port, or repeatedly send TCP packets with specified flags. There are no facilities for reflected or amplification attacks.

BASHLITE also has a mechanism to run arbitrary shell commands on the infected machine.

BASHLITE propagates via Telnet brute forcing, using a built-in dictionary of common usernames and passwords. The malware connects to random IP addresses and attempt to login, with successful logins reported back to the command and control server.

See also

References

  1. Cimpanu, Catalin (Aug 30, 2016). "There's a 120,000-Strong IoT DDoS Botnet Lurking Around". Softpedia. Retrieved 19 October 2016.
  2. Ashford, Warwick (30 June 2016). "LizardStresser IoT botnet launches 400Gbps DDoS attack". www.computerweekly.com. Retrieved 21 October 2016.
  3. Kovacs, Eduard (November 14, 2014). "BASHLITE Malware Uses ShellShock to Hijack Devices Running BusyBox". www.securityweek.com. Retrieved 21 October 2016.
  4. Khandelwal, Swati (November 17, 2014). "BASHLITE Malware leverages ShellShock Bug to Hijack Devices Running BusyBox". thehackernews.com. Retrieved 21 October 2016.
  5. Paganini, Pierluigi (November 16, 2014). "A new BASHLITE variant infects devices running BusyBox". securityaffairs.co. Retrieved 21 October 2016.
  6. Inocencio, Rhena (November 13, 2014). "BASHLITE Affects Devices Running on BusyBox". Trend Micro. Retrieved 21 October 2016.
  7. 1 2 3 4 "Attack of Things!". Level 3 Threat Research Labs. 25 August 2016. Retrieved 6 November 2016.
  8. "BASHLITE malware turning millions of Linux Based IoT Devices into DDoS botnet". fullcirclemagazine.org. Sep 4, 2016. Retrieved 21 October 2016.
  9. Masters, Greg (August 31, 2016). "Millions of IoT devices enlisted into DDoS bots with Bashlite malware". SC Magazine. Retrieved 21 October 2016.
  10. Spring, Tom (August 30, 2016). "BASHLITE Family Of Malware Infects 1 Million IoT Devices". threatpost.com. Retrieved 21 October 2016.
  11. Kovacs, Eduard (August 31, 2016). "BASHLITE Botnets Ensnare 1 Million IoT Devices". www.securityweek.com. Retrieved 21 October 2016.
  12. Matthew Bing (29 June 2016). "The Lizard Brain of LizardStresser". Arbor Networks. Retrieved 6 November 2016.
This article is issued from Wikipedia - version of the 11/7/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.