Security researchers have discovered more powerful botnets exploiting internet of things (IoT) devices to carry out massive distributed denial of service (DDoS) attacks.
Download this free guide
Your exclusive guide to CIO trends
A collection of our most popular articles for IT leaders from the first few months of 2016, including: - Corporate giants recruit digitally-minded outsiders to drive transformation - Analytics platforms to drive strategy in 2016 - Next generation: The changing role of IT leaders.
The malware behind these DDoS botnets that amass up to a million devices goes by many names, including Lizkebab, Bashlite, Torlus and gafgyt, according to the researchers at Level 3 Threat Research Labs .
News of the IoT botnet comes just two months after researchers at Arbor Networks revealed that a LizardStresser botnet was using IoT devices to launch DDoS attacks in Brazil and the US.
By targetingIoT devices using default passwords, the botnet grew large enough to launch a 400 gigabits per second (Gbps) attack without any form of amplification , the Arbor researchers said.
The attackers simply used the cumulative bandwidth available to the IoT devices they had infected with theLizardStressermalware.
Each Lizhebab botnet is capable of launching powerful DDoS attacks and spreads to new hosts by scanning for vulnerable devices in order to install the malware, the researchers said.
Either the bots scan ports for telnet servers and attempt to brute-force the username and password to gain access to the device, or the attackers use external scanners to find and harvest new bots.Infection methods
The second model adds a wide variety of infection methods, they said, including brute-forcing login credentials on secure shell (SSH) servers and exploiting known security weaknesses in other services.
Once the attackers have gained access to a device, they simply attempt to run multiple versions of the malware for up to 12 device types until one executes.
The researches expect the infection techniques, scanning methods and overall sophistication to continue to evolve.
Security camera DVRs (digital video recorders), used to collect video from security cameras, are among the devices currently favoured by these bot herders , the researchers said.
These devices often come configured with telnet and web interfaces enabled and many are left configured with default credentials, making them easy to compromise.
Most of these devices run some version of embedded linux, which, when combined with the bandwidth required to stream video, provide a “potent” class of DDoS bots, the researchers said.White-labelled DVRs
A large majority of the botnets observed by Level 3 were using white-labelled DVRs and DVRs manufactured by the company Dahua Technology.
The researchers said they had alerted Dahua Technology about the issue, noting that there are more than a million of these two types of DVRs that could be hijacked for use in botnets.
The security of IoT devices poses a significant threat, the researchers said, and they have called on the suppliers of these devices to improve their security.
Sean Newman, director at Corero Network Security, said the Lizkebab IoT botnets are yet another example of how the collective power of vulnerable devices openly connected to the internet can be harnessed for nefarious activities.
“The rise of IoT, and the devices associated with it, is making it easy for today’s educated attackers,” he said.Security an after-thought
Newman said IoT devices often have just enough processing power to deliver their required functionality, with security an after-thought at best and often not present at all.
“Combine this with the fact that the access control passwords that do exist are often left at their factory defaults, or users choose alternatives that are easy to crack using brute force techniques, then this problem is not going away any time soon,” he said.
The good news from the perspective of DDoS defence, said Newman, is that defending a volumetric attack from thousands of sources sending a small amount of traffic, versus a small number of sources sending larger volumes, can be defended against using much of the same techniques.
Read more about DDoS attacks DDoS attacks have become a commodity , and are available openly on professional services online marketplaces for as little as $5 an hour . There is a real concern that many companies are being affected by DDoS attackscommissioned by competitors, according to Kaspersky Lab. SmallerDDoS attackscan be more dangerous than a powerful assault thatknocks a company offlinebut does not install malware or steal data , warns Neustar. Attackers have discovered new ways to conduct DDoS attacks . Expert Nick Lewis explainshow they work, and what enterprises can doabout them.
The use of IoT devices in botnets is not new, the Level 3 researchers said, but as such devices become more common, they expect these types of botnet to increase in number and power.“The bulk of the IoT market consists of non-technical consumers who, at this time, have little, if any, knowledge of how to make these security-conscious changes,” said Lane Thames , software