The Lizard Brain of LizardStresser

LizardStresser is a botnet originally written by the infamous Lizard Squad DDoS group. The source code was released publicly in early 2015, an act that encouraged aspiring DDoS actors to build their own botnets. Arbor Networks’ ASERT group has been tracking LizardStresser activity and observed two disturbing trends:

  1. The number of unique LizardStresser command-and-control (C2) sites has been steadily increasing throughout 2016.
  2. A set of threat actors behind LizardStresser have focused on targeting Internet of Things (IOT) devices using default passwords that are shared amongst entire device classes.

Utilizing the cumulative bandwidth available to these IOT devices, one group of threat actors has been able to launch attacks as large as 400Gbps targeting gaming sites world-wide, Brazilian financial institutions, ISPs, and government institutions.

LizardStresser

LizardStresser is a DDoS botnet written in C and designed to run on Linux. The code consists of two halves – a client and server. The client is designed to run on compromised Linux machines which connect to a hardcoded C2 server. The protocol is essentially a lightweight version of IRC chat. Infected clients will connect to the server and receive commands, listed below.

  • The ability to launch a DDoS attack using a variety of attack methods:
    • HOLD – holds open TCP connections.
    • JUNK – send a random string of junk characters to a TCP port.
    • UDP – send a random string of junk characters to a UDP port.
    • TCP – repeatedly send TCP packets with the specified flags.
  • A mechanism to run arbitrary shell commands. Useful for downloading updated versions of LizardStresser with new C2s, or entirely different malware.
  • Propogation via telnet brute forcing. Clients connect to random IP addresses and attempt to login via telnet using a list of hard-coded usernames and passwords. Successful logins are reported back to the C2 for later assimilation into the botnet.

LizardStresser is extremely simple to compile and run. We’ve observed samples compiled for various architectures such as x86, ARM, and MIPS – the most common platforms for IOT devices.

Trends

ASERT has been tracking LizardStresser C2s since the tool first appeared on the scene. For the calendar year 2016 we’ve noted a marked increase in the unique number of C2s – upwards of a hundred by June. While we don’t know if we have every sample of LizardStresser in the wild, Arbor is in a unique position to correlate an increase in C2s with real-world attacks that match the LizardStresser network signature and DDoS telemetry from C2 monitoring and ATLAS DDoS attack statistics.

lizardstresser_c2s

Figure 1: Unique LizardStresser C2s for 2016

IOT

The telnet brute-forcing capability of LizardStresser attempts to login to random IP addresses with a hard-coded list of usernames and passwords. The publicly available version of LizardStresser has the usernames and passwords listed in Figure 2.

char *usernames[] = {"root\0", "\0", "admin\0", "user\0", "login\0", "guest\0"};
char *passwords[] = {"root\0", "\0", "toor\0", "admin\0", "user\0", "guest\0", 
     "login\0", "changeme\0", "1234\0", "12345\0", "123456\0", "default\0", 
     "pass\0", "password\0"};

Figure 2: Default usernames and passwords

Obviously this list constitute the absolute weakest of the weak. From the perspective of a threat actor, any machines that fall victim to this default list are most likely already compromised. In the case of DDoS malware, the value of a victim is how much bandwidth of attack traffic it can generate. If a machine is already compromised, it’s bandwidth is likely being utilized. The threat actor can attempt to evict competing malware, but this takes time and effort.

Enter IOT devices. They are ideal DDoS bots for a variety of reasons.

  • They typically run an embedded or stripped-down version of the familiar Linux operating system. Malware can easily be compiled for the target architecture, mostly ARM/MIPS/x86.
  • If they are Internet-accessible, they most likely have total access to the Internet without any bandwidth limitations or filtering.
  • The stripped-down operating system and processing power in most IOT devices leaves less room for security features, including auditing, and most compromises go unnoticed by the owners.
  • In order to save engineering time, manufacturers of IOT devices sometimes re-use portions of hardware and software in different classes of devices. As a product of this software re-use, the default passwords used to initially manage the device may be shared across entirely different classes of devices.

This last point, the re-use of default passwords across device classes is particularly attractive to threat actors. Simply recompiling LizardStresser to use these well-known, but under-utilized (by attackers at least) default passwords opens up an entire new group of potential victims.

Brazilian and Gaming Attacks

ASERT has been tracking two LizardStresser C2s that we believe are operated by the same group of threat actors. Although they appear to speak English between each other, their prime targets have exhibited interest in Brazil, as well as gaming sites world-wide:

  • Two large Brazilian banks
  • Two Brazilian telecoms
  • Two Brazilian government agencies
  • Three large gaming companies based in the US

In one instance we were able to observe attack commands from a LizardStresser C2 and correlate it with rich attack information. The attack spiked at over 400 Gbps from several thousand source addresses. The attack traffic itself exactly matched what is produced by LizardStresser’s random payload generator – a string of upper-case letters. What’s interesting is that the attack packets do not appear to be spoofed, meaning the traffic originates from the source addresses in the packets – and no UDP-based amplification protocols such as NTP or SNMP were used.

lizardstresser_payload

Figure 3: LizardStresser Payload

The threat actors appeared to quickly evolve their tactics minute-by-minute, switching between a HOLD flood to UDP flooding and TCP flooding with a variety of flags. This was likely the threat actors tuning their attacks for maximum impact. The UDP-based portions of the attack were further characterized as originating from UDP high-ports to destination port UDP/443 with a packet size of ~1400 bytes.

 

The attack sources themselves overwhelmingly came from Vietnam, secondly Brazil, and finally victims scattered throughout the rest of the world. By taking the unique source addresses, attempting a HTTP “GET /” to TCP port 80, a pattern emerged. Almost 90% of the hosts that responded had an HTML title of “NETSurveillance WEB”.

Doing some more research, the NETSurveillance WEB interface appears to be generic code used by a variety of Internet-accessible webcams. A default password for the root user is available online, and telnet is enabled by default. We believe the threat actors customized the LizardStresser brute-force code to use this published, but under-utilized default password for IOT devices based on the NETSurveillance code.

The publicly available version of LizardStresser generates IP addresses to brute-force randomly, but it’s possible this threat actor modified the code to prefer certain geographic locations. Another possibility is that Vietnam and Brazil are the major users of IOT devices running the NETSurveillance code.

Conclusion

LizardStresser is becoming the botnet-du-jour for IOT devices given how easy it is for threat actors to make minor tweaks to telnet scanning. With minimal reseach into IOT device default passwords, they are able to enlist an exclusive group of victims into their botnets. Arbor has observed LizardStresser C2’s issue attack commands to IoT devices and a resultant DDoS attack upwards of 400Gbps without using reflection/amplification, a notable feat fueled by an arcane piece of information.

  • Posted in Uncategorized
  • Comments Off on The Lizard Brain of LizardStresser

Comments are closed.