BASHLITE

Last updated
BASHLITE
Technical nameAs BashLite

As Gafgyt

  • ELF/Gafgyt.[letter]!tr (Fortinet)
  • HEUR:Backdoor.Linux.Gafgyt.[letter] (Kaspersky)
  • DDoS:Linux/Gafgyt.YA!MTB (Microsoft)
  • ELF_GAFGYT.[letter] (Trend Micro)

As QBot

  • Trojan-PSW.Win32.Qbot (Kaspersky)
  • Backdoor.Qbot (Malwarebytes)
  • Win32/Qakbot (Microsoft)
  • Bck/QBot (Panda)
  • Mal/Qbot-[letter] (Sophos)
  • W32.Qakbot (Symantec)
  • BKDR_QAKBOT (Trend Micro)
  • TROJ_QAKBOT (Trend Micro)
  • TSPY_QAKBOT (Trend Micro)
  • WORM_QAKBOT (Trend Micro)
  • Backdoor.Qakbot (VirusBuster)

As PinkSlip

  • W32/Pinkslipbot (McAfee)
As Torlus
AliasGafgyt, Lizkebab, PinkSlip, Qbot, Torlus, LizardStresser
Type Botnet
Authors Lizard Squad
Technical details
Platform Linux
Written in C

BASHLITE (also known as Gafgyt, Lizkebab, PinkSlip, Qbot, Torlus and LizardStresser) is malware which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). [1] Originally it was also known under the name Bashdoor , [2] but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400  Gbps. [3]

Contents

The original version in 2014 exploited a flaw in the bash shell - the Shellshock software bug - to exploit devices running BusyBox. [4] [5] [6] [7] A few months later a variant was detected that could also infect other vulnerable devices in the local network. [8] In 2015 its source code was leaked, causing a proliferation of different variants, [9] and by 2016 it was reported that one million devices have been infected. [10] [11] [12] [13]

Of the identifiable devices participating in these botnets in August 2016 almost 96 percent were IoT devices (of which 95 percent were cameras and DVRs), roughly 4 percent were home routers - and less than 1 percent were compromised Linux servers. [9]

Design

BASHLITE is written in C, and designed to easily cross-compile to various computer architectures. [9]

Exact capabilities differ between variants, but the most common features [9] generate several different types of DDoS attacks: it can hold open TCP connections, send a random string of junk characters to a TCP or a UDP port, or repeatedly send TCP packets with specified flags. They may also have a mechanism to run arbitrary shell commands on the infected machine. There are no facilities for reflected or amplification attacks.

BASHLITE uses a client–server model for command and control. The protocol used for communication is essentially a lightweight version of Internet Relay Chat (IRC). [14] Even though it supports multiple command and control servers, most variants only have a single command and control IP-address hardcoded.

It propagates via brute forcing, using a built-in dictionary of common usernames and passwords. The malware connects to random IP addresses and attempts to login, with successful logins reported back to the command and control server.

See also

Related Research Articles

<span class="mw-page-title-main">Denial-of-service attack</span> Type of cyber-attack

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. The range of attacks varies widely, spanning from inundating a server with millions of requests to slow its performance, overwhelming a server with a substantial amount of invalid data, to submitting requests with an illegitimate IP address.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

<span class="mw-page-title-main">Zombie (computing)</span> Compromised computer used for malicious tasks on a network

In computing, a zombie is a computer connected to the Internet that has been compromised by a hacker via a computer virus, computer worm, or trojan horse program and can be used to perform malicious tasks under the remote direction of the hacker. Zombie computers often coordinate together in a botnet controlled by the hacker, and are used for activities such as spreading e-mail spam and launching distributed denial-of-service attacks against web servers. Most victims are unaware that their computers have become zombies. The concept is similar to the zombie of Haitian Voodoo folklore, which refers to a corpse resurrected by a sorcerer via magic and enslaved to the sorcerer's commands, having no free will of its own. A coordinated DDoS attack by multiple botnet machines also resembles a "zombie horde attack", as depicted in fictional zombie films.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

<span class="mw-page-title-main">Storm botnet</span> Computer botnet

The Storm botnet or Storm worm botnet was a remotely controlled network of "zombie" computers that had been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008 had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

<span class="mw-page-title-main">Android Debug Bridge</span> Tool for debugging Android-based devices

The Android Debug Bridge is a programming tool used for the debugging of Android-based devices. The daemon on the Android device connects with the server on the host PC over USB or TCP, which connects to the client that is used by the end-user over TCP. Made available as open-source software under the Apache License by Google since 2007, its features include a shell and the possibility to make backups. The adb software is available for Windows, Linux and macOS. It has been misused by botnets and other malware, for which mitigations were developed such as RSA authentication and device whitelisting.

<span class="mw-page-title-main">Gameover ZeuS</span> Peer-to-peer botnet

GameOver ZeuS (GOZ), also known as peer-to-peer (P2P) ZeuS, ZeuS3, and GoZeus, is a Trojan horse developed by Russian cybercriminal Evgeniy Bogachev. Created in 2011 as a successor to Jabber Zeus, another project of Bogachev's, the malware is notorious for its usage in bank fraud resulting in damages of approximately $100 million and being the main vehicle through which the CryptoLocker ransomware attack was conducted, resulting in millions of dollars of losses. At the peak of its activity in 2012 and 2013, between 500,000 and 1 million computers were infected with GameOver ZeuS.

<span class="mw-page-title-main">Shellshock (software bug)</span> Security bug in the Unix Bash shell discovered in 2014

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

XOR DDoS is a Linux Trojan malware with rootkit capabilities that was used to launch large-scale DDoS attacks. Its name stems from the heavy usage of XOR encryption in both malware and network communication to the C&Cs. It is built for multiple Linux architectures like ARM, x86 and x64. Noteworthy about XOR DDoS is the ability to hide itself with an embedded rootkit component which is obtained by multiple installation steps. It was discovered in September 2014 by MalwareMustDie, a white hat malware research group. From November 2014 it was involved in massive brute force campaign that lasted at least for three months.

Zemra is a DDoS Bot which was first discovered in underground forums in May 2012.

Mirai is malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a white hat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs' website, an attack on French web host OVH, and the October 2016 DDoS attacks on Dyn. According to a chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki.

<span class="mw-page-title-main">DDoS attacks on Dyn</span> 2016 cyberattack in Europe and North America

On October 21, 2016, three consecutive distributed denial-of-service attacks were launched against the Domain Name System (DNS) provider Dyn. The attack caused major Internet platforms and services to be unavailable to large swathes of users in Europe and North America. The groups Anonymous and New World Hackers claimed responsibility for the attack, but scant evidence was provided.

Linux.Darlloz is a worm which infects Linux embedded systems.

Remaiten is malware which infects Linux on embedded systems by brute forcing using frequently used default username and passwords combinations from a list in order to infect a system.

<span class="mw-page-title-main">Linux.Wifatch</span> Malware that secures infected devices

Linux.Wifatch is an open-source piece of malware which has been noted for not having been used for malicious actions, instead attempting to secure devices from other malware.

Linux Spike Trojan malware, more widely known as MrBlack, is a type of malware that infects routers, and eventually spreads to other routers. Incapsula, an internet security firm, first saw this malware in December 2014. This tool is prone to attack devices that still use the default credentials. A "bot" is a type of malware that allows an attacker to take control over an affected computer. Also known as "Web robots," bots are usually part of a network of infected machines, known as a "botnet," which is typically made up of victim machines that stretch across the globe.

<span class="mw-page-title-main">MalwareMustDie</span> Whitehat security research workgroup

MalwareMustDie, NPO is a whitehat security research workgroup that was launched in August 2012. MalwareMustDie is a registered nonprofit organization as a medium for IT professionals and security researchers gathered to form a work flow to reduce malware infection in the internet. The group is known for their malware analysis blog. They have a list of Linux malware research and botnet analysis that they have completed. The team communicates information about malware in general and advocates for better detection for Linux malware.

Hajime is a malware which appears to be similar to the Wifatch malware in that it appears to attempt to secure devices. Hajime is also far more advanced than Mirai, according to various researchers.

BlackEnergy Malware was first reported in 2007 as an HTTP-based toolkit that generated bots to execute distributed denial of service attacks. In 2010, BlackEnergy 2 emerged with capabilities beyond DDoS. In 2014, BlackEnergy 3 came equipped with a variety of plug-ins. A Russian-based group known as Sandworm is attributed with using BlackEnergy targeted attacks. The attack is distributed via a Word document or PowerPoint attachment in an email, luring victims into clicking the seemingly legitimate file.

References

  1. Cimpanu, Catalin (30 August 2016). "There's a 120,000-Strong IoT DDoS Botnet Lurking Around". Softpedia . Retrieved 19 October 2016.
  2. Tung, Liam (25 September 2014). "First attacks using shellshock Bash bug discovered". ZDNet . Retrieved 25 September 2014.
  3. Ashford, Warwick (30 June 2016). "LizardStresser IoT botnet launches 400Gbps DDoS attack". Computer Weekly . Retrieved 21 October 2016.
  4. Kovacs, Eduard (14 November 2014). "BASHLITE Malware Uses ShellShock to Hijack Devices Running BusyBox". SecurityWeek.com. Retrieved 21 October 2016.
  5. Khandelwal, Swati (November 17, 2014). "BASHLITE Malware leverages ShellShock Bug to Hijack Devices Running BusyBox". The Hacker News. Retrieved 21 October 2016.
  6. Paganini, Pierluigi (16 November 2014). "A new BASHLITE variant infects devices running BusyBox". Security Affairs. Retrieved 21 October 2016.
  7. "Bash Vulnerability (Shellshock) Exploit Emerges in the Wild, Leads to BASHLITE Malware". Trend Micro . 25 September 2014. Retrieved 19 March 2017.
  8. Inocencio, Rhena (13 November 2014). "BASHLITE Affects Devices Running on BusyBox". Trend Micro . Retrieved 21 October 2016.
  9. 1 2 3 4 "Attack of Things!". Level 3 Threat Research Labs. 25 August 2016. Archived from the original on 3 October 2016. Retrieved 6 November 2016.
  10. "BASHLITE malware turning millions of Linux Based IoT Devices into DDoS botnet". Full Circle . 4 September 2016. Archived from the original on 22 October 2016. Retrieved 21 October 2016.
  11. Masters, Greg (31 August 2016). "Millions of IoT devices enlisted into DDoS bots with Bashlite malware". SC Magazine. Retrieved 21 October 2016.
  12. Spring, Tom (30 August 2016). "BASHLITE Family of Malware Infects 1 Million IoT Devices". Threatpost.com. Retrieved 21 October 2016.
  13. Kovacs, Eduard (31 August 2016). "BASHLITE Botnets Ensnare 1 Million IoT Devices". Security Week. Retrieved 21 October 2016.
  14. Bing, Matthew (29 June 2016). "The Lizard Brain of LizardStresser". Arbor Networks . Retrieved 6 November 2016.