LizardStresser is a botnet originally written by the infamous Lizard Squad DDoS group. The source code was released publicly in early 2015, an act that encouraged aspiring DDoS actors to build their own botnets. Now a number of criminals are using the same botnet to target and hijack Internet of Things (IoT) devices to launch distributed denial of service (DDoS) attacks on banking, gaming and government websites.
LizardStresser is a DDoS botnet written in C and designed to run on Linux. The code consists of two halves – a client and server. The client is designed to run on compromised Linux machines which connect to a hardcoded C2 server. The protocol is essentially a lightweight version of IRC chat. Infected clients will connect to the server and receive commands, listed below.
- The ability to launch a DDoS attack using a variety of attack methods:
- HOLD – holds open TCP connections.
- JUNK – send a random string of junk characters to a TCP port.
- UDP – send a random string of junk characters to a UDP port.
- TCP – repeatedly send TCP packets with the specified flags.
- A mechanism to run arbitrary shell commands. Useful for downloading updated versions of LizardStresser with new C2s, or entirely different malware.
- Propogation via telnet brute forcing. Clients connect to random IP addresses and attempt to login via telnet using a list of hard-coded usernames and passwords. Successful logins are reported back to the C2 for later assimilation into the botnet.
They are utilising the cumulative bandwidth available to these IOT devices, one group of threat actors has been able to launch attacks as large as 400Gbps targeting gaming sites world-wide, Brazilian financial institutions, ISPs, and government institutions.
According to Kirk Soluk, threat intelligence and response manager at Arbor Networks
When it comes to compromising IoT devices, LizzardStresser uses a straightforward approach. Telnet brute forcing is the preferred method with LizardStresser pinging random IPs looking to make a telnet connection. Once this is accomplished it has a hardcoded list of usernames and passwords and uses these to try and login. When successful, the device is connected to the command-and-control server.
Arbor’s Security Engineering & Response Team (ASERT) is always tracking LizardStresser activities. According to ASERT, their prime targets have exhibited interest in Brazil, as well as gaming sites world-wide:
- Two large Brazilian banks
- Two Brazilian telecoms
- Two Brazilian government agencies
- Three large gaming companies based in the US
Subscribe for latest security attacks