A LizardStresser botnet has launched massive distributed denial of service (DDoS) attacks against banks, telcos and government agencies in Brazil and three large US gaming companies, say researchers.

By targeting internet of things (IoT) devices using default passwords, the botnet has grown large enough to launch a 400 gigabits per second (Gbps) attack without any form of amplification.

The attackers simply used the cumulative bandwidth available to the IoT devices they have infected with the LizardStresser malware.

The malware was created by the Lizard Squad DDoS group, which published its source code in early 2015, enabling other aspiring DDoS attackers to build their own botnets.

LizardStresser activity has increased throughout 2016, with IoT devices starting to becoming a frequent target.

Researchers at Arbor Networks believe LizardStresser is targeting IoT devices for four key reasons.

First, IoT devices typically run an embedded or stripped-down version of the Linux operating system, which means malware can easily be compiled for the target architecture, mostly ARM/MIPS/x86.

Second, IoT devices are likely have total access to the internet without any bandwidth limitations or filtering.

Third, the stripped-down operating system and processing power in most IoT devices leaves less room for security features, including auditing, and most compromises go unnoticed by the owners.

Finally, to save engineering time, manufacturers of IoT devices sometimes re-use portions of hardware and software in different classes of device. As a result of this software re-use, the default passwords used to manage the device initially may be shared across different classes of device.

LizardStresser LizardStresser is a DDoS botnet written in the C programming language with a client designed to run on compromised Linux devices that connect to a hard-coded command and control (C&C) server. The protocol is essentially a lightweight version of the internet relay chat (IRC) protocol, according to Arbor’s Matthew Bing. Infected clients will connect to the server and receive commands to launch DDoS attacks using a variety of attack methods, he wrote in a blog post. Clients can run arbitrary shell commands that are useful for downloading updated versions of LizardStresser or entirely different malware. Clients can also connect to random IP addresses and attempt to log in via telnet using a list of hard-coded usernames and passwords as a propagation method. Successful logins are reported back to the C&C server for later assimilation into the botnet.

The threat actors Arbor has been tracking two LizardStresser C&C servers that its researchers believe are operated by the same group of threat actors. “Although they appear to speak English between each other, their prime targets have exhibited interest in Brazil, as well as gaming sites worldwide,” said Bing. One attack was linked to more than 1,000 source IP addresses and peaked at more than 400Gbps. The researchers said the attack is interesting because the attack packets do not appear to be spoofed, meaning the traffic originates from the source addresses in the packets without amplification relying on the user datagram protocol (UDP), such as the network time protocol (NTP) or the simple network management protocol (SNMP). The threat actors appeared to rapidly change their tactics minute by minute, said Bing, switching between UDP flooding and TCP flooding with a variety of flags. “This was likely the threat actors tuning their attacks for maximum impact. The UDP-based portions of the attack were further characterised as originating from UDP high ports to destination port UDP/443 with a packet size of around1,400 bytes,” he wrote. Researchers traced most of the attack sources to Vietnam, followed by Brazil, but there were also other sources scattered around the globe.

Targeting IoT Almost 90% of the hosts that responded had an HTML title of “NETSurveillance WEB”, said Bing, which appears to be generic code used by a variety of internet-accessible webcams. A default password for the root user is available online, and telnet is enabled by default, he said. “We believe the threat actors customised the LizardStresser brute-force code to use this published but under-utilised default password for IoT devices based on the NETSurveillance code.” The publicly available version of LizardStresser generates IP addresses to brute-force randomly, but Bing said it is possible that this attacker modified the code to prefer certain geographic locations. Another possibility, he said, is that Vietnam and Brazil are the major users of IoT devices running NETSurveillance. LizardStresser is becoming the most popular botnet for IoT devices, the researchers said, because it makes it easy for threat actors to tweak telnet scanning. With minimal research into default passwords for IoT devices, attackers are able to enlist an exclusive group of victims into their botnets.