Lizardsquad’s botnet using IoT to launch latest waves of attack

The Lizardstresser ddos botnet has been increasing in popularity throughout 2016 and is being used increasingly to target the Internet of Things.
Arbor Networks reported in their blog, a marked increase since the start of the year in the number of Lizardstresser C2 servers. Although figures may not be completely exhaustive at this stage, there is a noted correlation in real world attacks matching the ddos telemetry through monitoring attack statistics and matching the tools’ typical network signature.


Lizardstresser’s unique C2 instances so far in 2016

Devices are being easily compromised when configured only with default passwords and their accumulated bandwidth is being harnessed to launch further attacks.
One particular group has notably launched a massive 400Gbps attack focusing primarily on US based gaming sites, Brazilian financial institutions, ISPs and governments.
Lizardstresser, written in C and designed primarily to run on Linux was initially powered by hacked home routers and operated in a typical C2 structure with a client used to infect hosts connecting to a hardcoded server.
Its method of communication is a lightweight version of the IRC chat protocol.
Clients use telnet brute forcing methods with hard coded, typical default passwords and report successful connections back to the C2 server for assimilation into the botnet.

char *usernames[] = {"root\0", "\0", "admin\0", "user\0", "login\0", "guest\0"}; char *passwords[] = {"root\0", "\0", "toor\0", "admin\0", "user\0", "guest\0",
"login\0", "changeme\0", "1234\0", "12345\0", "123456\0", "default\0", "pass\0", "password\0"};

A sample excerpt of Lizardstresser’s default usernames and passwords for brute forcing

The application is compiled for x86, ARM and MIPS architectures making it adaptable to the vast majority of IoT devices.

The IoT appears to have been chosen due to its typically unrestricted access to bandwidth and filtering, stripped down OS’ which often prove easier to compromise and reuse of default passwords across shared devices.

The attack sources in play are mostly coming from Vietnam but a significant number are emanating from Brazil. Targets are found throughout the rest of the world.

An interesting development arose when it was noticed that when an HTTP GET request was sent to port 80, 90% of hosts that responded gave the title NETSurveillance WEB. This is generic, reused code that typically appears from Internet accessible webcams.

The default passwords for this are available online and updated versions are allegedly vulnerable to simple SQL injection.

The biggest users of these devices are reportedly Vietnam and Brazil.