September 1, 2016 By Larry Loeb 2 min read

Level 3 Threat Research Labs tracked a family of malware, variously called Lizkebab, BASHLITE, Torlus and Gafgyt, that is capable of causing IoT-based DDoS attacks. The BASHLITE malware family has been around for a while and has many variants.

L3 has been working with security firm Flashpoint to observe the growth of the botnet, which the malware uses to carry out its attack. Threatpost reported that in July, the researchers tracked command-and-control (C&C) locations that were linked to the malware and found that they were communicating with only 74 bots. At a later time, the researchers observed the C&C servers communicating with about 120,000 bots.

BASHLITE Malware Targets IoT Devices

L3 noted in the report that cybercrime groups such as Lizard Squad and Poodle Corp are increasingly targeting IoT devices with which to build botnets that can conduct DDoS attacks. They can use these botnets themselves, or they may rent them to individuals as booter or stresser services (i.e., DDoS-as-a-service). These bot herders favor security camera DVRs, which are used to collect video from security cameras, since most video devices are connected to a network.

A large percentage of the 1 million infected devices were located in Taiwan, Brazil and Colombia, L3 reported. It seems many of these bots were using generic, white-labeled DVRs.

The report basically found that a stripped-down device with no true authentication control (or an admin/admin default screen hiding somewhere) can be transformed into a willing servant with the right malware.

Big Shift in Botnet Composition

Ninety-six percent of the botnet devices used by this malware were IoT devices. Roughly 4 percent of the devices were home routers; somewhat surprisingly, less than 1 percent were tied to a Linux server.

The researchers noted that this distribution represents a large shift in the composition of botnets, compared to the traditional DDoS botnet models based on compromised servers and home routers.

The actual DDoS attacks are simple UDP and TCP floods. High-bandwidth attacks are more often used in UDP floods, while high packets-per-second attacks are typically used for TCP floods.

Fortunately, L3 found that most of the attacks are short-lived. The median duration was just over two minutes, and 75 percent of the attacks timed out shorter than five minutes.

More from

CISA chief AI officer follow-up: Current state of the role (and where it’s heading)

4 min read - At the beginning of August, CISA announced that it had appointed Lisa Einstein, Senior Advisor of its artificial intelligence division, as its new chief AI officer. This announcement came following several new initiatives in the last couple of years focused on gaining a clearer understanding of the potential security impacts of AI.With the National Cybersecurity Strategy and the supporting National Cybersecurity Strategy Implementation Plan still evolving, there has been increased awareness of the value of organizations establishing an executive seat…

Cybersecurity risks in healthcare are an ongoing crisis

4 min read - While healthcare providers have been implementing technical, administrative and physical safeguards related to patient information, they have not been as diligent in securing their medical devices. These devices are critical to patient care and can leave hospitals at risk for cyberattacks, causing major disruptions to patient care. In fact, 88 million individuals were affected by large breaches, compromising vast amounts of electronic protected health information (ePHI) last year according to the U.S. Department of Health & Human Services. This year,…

CVE backlog update: The NVD struggles as attackers change tactics

4 min read - In February, the number of vulnerabilities processed and enriched by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) started to slow. By May, 93.4% of new vulnerabilities and 50.8% of known exploited vulnerabilities were still waiting on analysis, according to research from VulnCheck.Three months later, the problem persists. While NIST has a plan to get back on track, the current state of common vulnerabilities and exposures (CVEs) isn't keeping pace with new vulnerability detections. Here's a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today