BASHLIE Hits IoT devices for DDoS Attacks
A family of malware-BASHLITE also comes with a variety of names- Lizkebab, BASHLITE, Torlus, and Gafgyt. It was originally observed in 2014 and originally it was also known under the name Bashdoor, but after that time, this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.
What is BASHLITE
BASHLITE is one of the most common types of malware that launches DDoS (distributed denial-of-service) attacks. BASHLITE has been active since 2014, and majorly targeting IoT devices and exploits vulnerabilities found in Linux-based systems.
BASHLITE, The botnet, which is written in C and primarily infects Linux computers, is primarily made up of Internet-of-Things (IoT) devices like cameras, DVRs, and home routers. It has a history of adapting and exploiting new IoT vulnerabilities, as well as adopting conventional botnet methods like cloaking its activity via Tor.
Note: BASHLITE is also known as, Gayfgt, Lizkebab, Qbot, Torlus, and LizardStresser.
What is DDoS Attacks
DDoS attacks worked through a network of Internet-connected machines (botnet). When a victim’s network is targeted by the botnet, each bot sends requests to the target’s IP address, potentially causing the server or network to become overwhelmed, resulting in a denial of service to normal traffic.
BASHLITE Malware Hits Over One Million IoT Devices
In 2014, the original version of BASHLITE exploited a flaw in the bash shell-the Shellshock software bug to exploit the devices running BusyBox. After that, many new variants of BASHLITE were started coming out such as Lizard Squad and Poodle Corp that targeting IoT devices to conduct DDoS attacks. Some of the variants also found that could infect other vulnerable devices in the local network.
To spread the threat, cybercriminals use these botnets themselves, or they may rent them to individuals as booter or stresser services (i.e., DDoS-as-a-service). Because most video devices are connected to a network, these bot herders prefer security camera DVRs, which are used to capture video from security cameras.
From 2014 to 2016, it was reported that one million devices have been infected with BASHLITE from Taiwan. Brazil, and Colombia. When identified, the report said that the devices were attacked in these botnets was almost 96 percent were IoT devices, and around 4 percent were home router and less than 1 percent were compromised Linux servers.
The research noted that this distribution represents a large shift in the composition of botnets, compared to the Traditional DDoS botnet models based on compromised servers and home routers. Simple UDP and TCP floods are used in DDoS attacks. UDP floods are more likely to use high-bandwidth attacks, whereas TCP floods are more likely to use high packets-per-second attacks.
How it Works?
BASHLITE infected devices in many ways, but a majorly used way is to leverage Metasploit modules or other exploits against vulnerable devices. It also noticed that other attack vectors include scanning for open Telnet ports or performing brute force attacks on random IP addresses, with the help of a built-in dictionary of default passwords and usernames. If the connection is made, it would send to the command and control (C2) server.
In the past years, BASHLITE was using a single hardcode IP address to connect to a Command and Control (C2) server, but it has been observed that a new variant using Tor-based communications allows them to alter C2 servers as attacker-owned download servers are identified and blocked.
With the help of Internet Relay Chat, the botnet generates different kinds of DDoS attacks such as TCP flooding by abusing TCP packet flags, holding TCP connections open, and bombarding a specific TCP or UDP port with junk items. The latest BASHLITE variant also includes some Mirai-based modules and exploits, including HTTP flooding and UDP flooding.
Remedies to Prevent BASHLITE malware
Every malware first comes into existence using vulnerabilities of your system, so we strongly advise you to keep your security essentials turn on, update your software & system. Using anti-malware software you can keep your software and system updates. Anti-malware software also makes your system able to fight different kinds of malware, viruses, spyware, Trojans, and other malicious programs.
- You can use Waredot Antivirus anti-malware software that protects your system coming with all the features explained above. Waredot antivirus continuously monitors your system and investigates each unusual activity to detect a compromise of the network
Download Link: Waredot Antivirus
- All the remote services should use strongly encrypted protocols and only accepts connections from authorized users or locations.
- Do not follow any suspicious link in the email or text inbox, malicious websites that can leak your network, activity, and other things you do on your network.
- Make sure administrative accounts are only used for necessary purposes.
- Make sure that tamper protection settings in security products are enabled where available.
Discovery of Linux.Wifatch was the unusual case of a cybercriminal that helps consumes against other malware rather than doing any disaster. It was the first open-source piece of malware, which has been identified as a remedy to secure devices from other malware, instead of infecting.
According to Symantec researchers, Linux.Wifatch, also known as Zollard and Reincarna, has been active since 2014. However, once it infects a home network, its primary goal is to prevent botnets and other threats to the device. According to CSO Online, the virus has infiltrated networks using the same weak passwords used by other malware, but it remains quite accessible to third-party inspection and even exposes debugging code.
It was an attempt to ward off government surveillance from agencies such as the NSA (National Security Agency). Its source code, for instance, includes a comment from free software advocate Richard Stallman that urges prying eyes to defend the constitutional rights of citizens. Perhaps because it hasn’t caused any trouble on its own, Symantec recommends Linux. Wifatch is prevalent across tens of thousands of devices, but no estimated data is available about it.
Forbes said that Linux.Wifatch firstly checks Telnet ports for suspicious activity and, if needed, renders it inoperable. Users are usually then requested to update their router.