pixel_dreams - Fotolia

More IoT botnets connected to DDoS attacks

Security researchers have found another botnet operation exploiting internet of things devices to carry out powerful distributed denial of service attacks, prompting calls for IoT device makers to improve security

Security researchers have discovered more powerful botnets exploiting internet of things (IoT) devices to carry out massive distributed denial of service (DDoS) attacks.

The malware behind these DDoS botnets that amass up to a million devices goes by many names, including Lizkebab, Bashlite, Torlus and gafgyt, according to the researchers at Level 3 Threat Research Labs.

News of the IoT botnet comes just two months after researchers at Arbor Networks revealed that a LizardStresser botnet was using IoT devices to launch DDoS attacks in Brazil and the US.

By targeting IoT devices using default passwords, the botnet grew large enough to launch a 400 gigabits per second (Gbps) attack without any form of amplification, the Arbor researchers said.

The attackers simply used the cumulative bandwidth available to the IoT devices they had infected with the LizardStresser malware.

Each Lizhebab botnet is capable of launching powerful DDoS attacks and spreads to new hosts by scanning for vulnerable devices in order to install the malware, the researchers said.

Either the bots scan ports for telnet servers and attempt to brute-force the username and password to gain access to the device, or the attackers use external scanners to find and harvest new bots.

Infection methods

The second model adds a wide variety of infection methods, they said, including brute-forcing login credentials on secure shell (SSH) servers and exploiting known security weaknesses in other services.

Once the attackers have gained access to a device, they simply attempt to run multiple versions of the malware for up to 12 device types until one executes.

The researches expect the infection techniques, scanning methods and overall sophistication to continue to evolve.

Security camera DVRs (digital video recorders), used to collect video from security cameras, are among the devices currently favoured by these bot herders, the researchers said.

These devices often come configured with telnet and web interfaces enabled and many are left configured with default credentials, making them easy to compromise.

Most of these devices run some version of embedded Linux, which, when combined with the bandwidth required to stream video, provide a “potent” class of DDoS bots, the researchers said.

White-labelled DVRs

A large majority of the botnets observed by Level 3 were using white-labelled DVRs and DVRs manufactured by the company Dahua Technology.

The researchers said they had alerted Dahua Technology about the issue, noting that there are more than a million of these two types of DVRs that could be hijacked for use in botnets.

The security of IoT devices poses a significant threat, the researchers said, and they have called on the suppliers of these devices to improve their security.

Sean Newman, director at Corero Network Security, said the Lizkebab IoT botnets are yet another example of how the collective power of vulnerable devices openly connected to the internet can be harnessed for nefarious activities. 

“The rise of IoT, and the devices associated with it, is making it easy for today’s educated attackers,” he said. 

Security an after-thought

Newman said IoT devices often have just enough processing power to deliver their required functionality, with security an after-thought at best and often not present at all.

“Combine this with the fact that the access control passwords that do exist are often left at their factory defaults, or users choose alternatives that are easy to crack using brute force techniques, then this problem is not going away any time soon,” he said.

The good news from the perspective of DDoS defence, said Newman, is that defending a volumetric attack from thousands of sources sending a small amount of traffic, versus a small number of sources sending larger volumes, can be defended against using much of the same techniques.

Read more about DDoS attacks

The use of IoT devices in botnets is not new, the Level 3 researchers said, but as such devices become more common, they expect these types of botnet to increase in number and power.

The bulk of the IoT market consists of non-technical consumers who, at this time, have little, if any, knowledge of how to make these security-conscious changes,” said Lane Thames, software development engineer and security researcher at Tripwire.

“This is a ‘technology’ component of security where it is up to the manufacturers to build more secure devices. For example, it is well past time to find a better ‘default credential’ solution. In other words, no one should be shipping devices with default credentials.”

Default credential mode

Thames said device manufacturers should be considering new methods to replace the default credential model.

But he believes the human component of security must also be addressed in the long run. “We will never have a society where everyone is a cyber security specialist, but our current educational ecosystem is failing us on the cyber security front,” he said.

“As a society, we must start integrating the basics of cyber security knowledge within our education systems. Even if we could solve the technology component of cyber security, our efforts would be in vain without addressing the human component as well.”

Read more on Hackers and cybercrime prevention