120k strong botnet found in the wild

News by Roi Perez

Networking and telecomms specialists Level 3 have discovered a botnet of 120,000 devices in the course of conducting DDoS research.

As a result of over a million Internet of Things (IoT) devices getting infected, a 120,000-strong botnet has been found in the wild, Level3 reports. 

The DDoS botnets were created with the help of a malware family known as Gafgyt, which is also known as Lizkebab, BASHLITE, Torlus and LizardStresser, which is the name of the DDoS toolkit made by Lizard Squad.

According to recent research released by Level 3 in collaboration with Flashpoint, these tools have now compromised over one million IoT devices.

These IoT devices represent 96 percent of the total number of Gafgyt bots involved in recent DDoS attacks. Level 3 says that 95 percent of these devices are DVR devices and IP cameras. Only four percent are home routers and one percent Linux web servers.

The reason most of the bots are infected IP cameras and DVRs is because these devices tend to have large bandwidth connections to relay video feeds to a control centre. This unfortunately ensures criminals have huge DDoS capabilities.

According to telemetry data, C&C servers usually live for around 13 days. The largest botnet discovered by Level 3's team contained 120,000 bots.

The worrying part - Level 3 says threat actors don't need huge bot numbers to launch crippling attacks on an unsuspecting victim. A botnet only needs a couple thousand infected devices to be able to launch a DDoS attack of hundreds of Gbps.

According to Level 3, “Each botnet spreads to new hosts by scanning for vulnerable devices to install the malware. Two primary models for scanning exist. The first instructs bots to port scan for telnet servers and attempts to brute force the username and password to gain access to the device. The other model, which is becoming increasingly common, uses external scanners to find and harvest new bots, in some cases scanning from the C2 servers themselves. The latter model adds a wide variety of infection methods, including brute forcing login credentials on SSH servers and exploiting known security weaknesses in other services.”

Lane Thames, software development engineer and security researcher at Tripwire told SCMagazineUK.com: “As security researchers, we love providing this type of useful information. We view changing default credentials, using encryption, locking down networks with firewalls, etc as basic security hygiene. However, the bulk of the IoT market consists of non-technical consumers who, at this time, have very little (if any at all) knowledge of how to make these security conscious changes.

Thames explains: “This is a ‘technology' component of security where it is up to the manufacturers to build more secure devices. For example, it is well past time to find a better ‘default credential' solution. In other words, no one should be shipping devices with default credentials. Device manufactures should be considering new methods to replace the default credential model.”

Concluding, Thames said that: “The ‘human' component of security must also be addressed in the long run. We will never have a society where everyone is a cyber-security specialist. However, our current educational ecosystem is failing us on the cyber-security front. As a society, we must start integrating the basics of cyber-security knowledge within our education systems. Even if we could solve the technology component of cyber-security, our efforts would be in vain without addressing the human component as well.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews