Pierluigi Paganini
July 01, 2016
The Lizardstresser DDoS botnet has been increasing in popularity throughout 2016 and is being used increasingly to target the Internet of Things.
Arbor Networks reported in their blog, a marked increase since the start of the year in the number of Lizardstresser C2 servers. Although figures may not be completely exhaustive at this stage, there is a noted correlation in real world attacks matching the DDoD telemetry through monitoring attack statistics and matching the tools’ typical network signature.
The code for the LizardStresser, originally written by the Lizard Squad group, was released publicly in early 2015.
“Arbor Networks’ ASERT group has been tracking LizardStresser activity and observed two disturbing trends:
Lizardstresser’s unique C2 instances so far in 2016
Devices are being easily compromised when configured only with default passwords and their accumulated bandwidth is being harnessed to launch further attacks.
One particular group has notably launched a massive 400Gbps attack focusing primarily on US based gaming sites, Brazilian financial institutions, ISPs and governments.
Lizardstresser, written in C and designed primarily to run on Linux was initially powered by hacked home routers and operated in a typical C2 structure with a client used to infect hosts connecting to a hardcoded server.
Its method of communication is a lightweight version of the IRC chat protocol.
Clients use telnet brute forcing methods with hard coded, typical default passwords and report successful connections back to the C2 server for assimilation into the botnet.
Below a sample excerpt of Lizardstresser ’s default usernames and passwords for brute forcing
char *usernames[] = {"root\0", "\0", "admin\0", "user\0", "login\0", "guest\0"};
char *passwords[] = {"root\0", "\0", "toor\0", "admin\0", "user\0", "guest\0",
"login\0", "changeme\0", "1234\0", "12345\0", "123456\0", "default\0",
"pass\0", "password\0"};
The application is compiled for x86, ARM and MIPS architectures making it adaptable to the vast majority of IoT devices.
The IoT appears to have been chosen due to its typically unrestricted access to bandwidth and filtering, stripped down OS’ which often prove easier to compromise and reuse of default passwords across shared devices.
The attack sources in play are mostly coming from Vietnam but a significant number are emanating from Brazil. Targets are found throughout the rest of the world.
An interesting development arose when it was noticed that when an HTTP GET request was sent to port 80, 90% of hosts that responded gave the title NETSurveillance WEB. This is generic, reused code that typically appears from Internet accessible webcams. The default passwords for this are available online and updated versions are allegedly vulnerable to simple SQL injection.
Most of the compromised devices are reportedly from Vietnam and Brazil.
Written by: Steven Boyd
Steven is a security consultant, researcher, ethical hacker and freelance writer with over 16 years of experience in the industry. He has provided security consultancy to some of the world’s biggest banks, the private sector as well as public services and defense. He is the owner and creator of security blog www.CybrViews.com.
Twitter: @CybrViews
[adrotate banner=”9″]
(Security Affairs –LizardStresser, Lizard Squad)
