A million connected devices could be infected by a Bashlite malware-powered DDoS botnet, according to Level 3 Threat Research Labs.
The botnet, uncovered by the security research firm, targets vulnerable Internet of Things devices and forms part of the Bashlite malware family.
Although the researchers have only just uncovered the security threat, it’s thought that the malware was leaked in 2015. Cybercriminals have used it to create a string of new botnets.
Wide-ranging
They also found that the bots have been infiltrating digital video recorders (DVRs) developed by Chinese video surveillance firm Dahua Technology.
Level 3 has since reported the flaw to the company, and it’s just begun developing a patch. Dahua intends to release the latter within the next few weeks.
In a bid to grow and infect more devices, the botnet scans for devices that may not have the correct protection in place and then issues an attack. It uses two scanning techniques to target devices.
Spreading like wildfire
The research firm has been monitoring over 200 C&C (command and control) servers and found that they typically use hard-coded IP addresses.
It said the bots have attacked over a million devices across the world, especially in Asia and South America. Gaming platforms and sites have also been infected by the malware.
“Of the bots we’ve observed participating in attacks, peaking at more than one million devices, a large percentage are located in Taiwan, Brazil and Colombia,” the researchers claim.
“The impacts of these botnets can affect anyone on the internet, not just the IoT device owners. DDoS victims of these botnets are mostly residential users, which is consistent with booter service clientele.
“We also see many popular gaming platforms and sites being attacked, which is typical of the public claims made by multiple well-known DDoS groups.”
Multiple botnets
Attackers are using several versions of the malware. The researchers explained: “After the attacker has gained access to the device, their tools do not bother to identify the architecture of the device they have compromised.
“Instead, they immediately execute both the “busybox wget” and “wget” commands to retrieve their DDoS bot payloads. Then they attempt to run multiple versions of the malware compiled for different architectures, until one executes.”
“The first instructs bots to port scan for telnet servers and attempts to brute force the username and password to gain access to the device.”
“The other model, which is becoming increasingly common, uses external scanners to find and harvest new bots, in some cases scanning from the C2 servers themselves.”