Researchers at Radware have discovered a new botnet that uses vulnerabilities linked with the Satori botnet and is leveraging the Grand Theft Auto videogame community to infect IoT devices.
Satori is a derivative of Mirai, the notorious botnet that in 2016 infamously managed to take down Dyn, a DNS hosting provider that supports some of the world’s largest websites.
Radware’s inquiry into the botnet led it to a command-and-control server hosted at the site San Calvicie, which offers not only multiplayer mod support for Grand Theft Auto: San Andreas, but also DDoS attacks for a fee.
Enthusiasts of the venerable videogame series, which places players in an immersive 3-D world of violence and vicarious thrills, have created an extensive universe of add-on features and tweaks, or “mods,” in the name of enriching and extending their experience. Sites such as San Calvicie cater to GTA gamers who want to host their own custom versions of GTA for multiplayer action.
“The Corriente Divina (‘divine stream’) option is described as ‘God’s wrath will be employed against the IP that you provide us,” Geenens wrote of the site’s DDoS offering. “It provides a DDoS service with a guaranteed bandwidth of 90-100 Gbps and attack vectors including Valve Source Engine Query and 32 bytes floods, TS3 scripts and a ‘Down OVH’ option which most probably refers to attacks targeting the hosting service of OVH, a cloud hosting provider that also was a victim of the original Mirai attacks back in September 2016. OVH is well known for hosting multi-player gaming servers such as Minecraft, which was the target of the Mirai attacks at the time.”
Shortly after Geenens made his initial discovery, he returned to the site and found that the terms of engagement had changed. Now the listing included a reference to “bots,” and offered a DDoS volume of between 290 and 300 Gbps, for the same low price of $20 a pop.
While derived from established code, the San Calvicie-hosted botnet, which Geenens has dubbed “JenX”, is deployed in a different manner than its predecessors.
“Untypical for IoT botnets we have witnessed in the past year, this botnet uses servers to perform the scanning and the exploits,” he wrote. “Nearly all botnets, including Mirai, Hajime, Persirai, Reaper, Satori and Masuta perform distributed scanning and exploiting. That is, each victim that is infected with the malware will perform its own search for new victims. This distributed scanning provides for an exponential growth of the botnet, but comes at the price of flexibility and sophistication of the malware itself.”
The centralized approach employed by JenX trades slower growth for lower detection, he added.
The danger from JenX should be mostly confined to GTA San Andreas users, Gessens said, but with a stern caveat.
“[T]here is nothing that stops one from using the cheap $20 per target service to perform 290 Gbps attacks on business targets and even government related targets,” he wrote. “I cannot believe the San Calvicie group would oppose to it.”
Radware filed abuse notifications related to JenX, resulting in a partial takedown of the botnet’s server footprint, but it remains active. JenX’s implementation makes taking it down a tricky task.
“As they opted for a central scan and exploit paradigm, the hackers can easily move their exploit operations to bulletproof hosting providers who provide anonymous VPS and dedicated servers from offshore zones,” he wrote. “These providers do not care about abuse. Some are even providing hosting services from the Darknet. If the exploit servers would be move to the Darknet, it would make it much more difficult to track down the servers’ location and take them down.”