Valve Source Engine, Fortnite Servers Crippled By Gafgyt Variant

Servers hosting Valve Source Engine and popular games like Fortnite are targeted by a new variant of the Gafgyt botnet.

A new Gafgyt variant is adding vulnerable internet of things (IoT) devices to its botnet arsenal and using them to cripple gaming servers worldwide.

The newly-discovered variant is capable of launching a variety of denial-of-service (DoS) attacks against the Valve Source Engine, a video game engine developed by Valve Corp. that runs popular games such as ​Half-Life and ​Team Fortress 2. Other gaming servers have also been targeted by the botnet, such as those hosting widely-played games such as Fortnite, researchers warn.

“This Gafgyt variant is a competing botnet to the ​JenX botnet, which also uses remote code-execution exploits to gain access and recruit routers into botnets to attack gaming servers – most notably those running the Valve Source Engine – and cause a denial-of-service,” said researchers with Palo Alto Networks’ Unit 42 research team, in analysis released Thursday. “This variant also competes against similar botnets, which we have found are frequently sold on Instagram.”

Gafgyt, a botnet that was uncovered in 2014, has become infamous for launching large-scale distributed denial-of-service (DDoS) attacks. The newest Gafgyt variant targets two of the same small-office router remote-code-execution flaws as its predecessor, ​JenX, which was disclosed in 2018​.

The two previously-targeted flaws are CVE-2017-17215 (in the Huawei HG532) and CVE-2014-8361 (in the Realtek RTL81XX chipset). However, the newest variant also targets another vulnerability, CVE-2017-18368, a remote command-injection bug on Zyxel P660HN wireless routers. The Zyxel P660HN-T1A (distributed by TrueOnline) has a command-injection vulnerability in the remote system log forwarding function, which can be accessed by an unauthenticated user, researchers said.

According to Shodan, there are more than 32,000 Wi-Fi routers worldwide that are vulnerable to these three flaws.

The Gafgyt variant first uses three “scanners” to attempt to exploit these known RCE flaws. Then, depending on the type of device targeted, the botnet makes them download either an ARM7 or MIPS binary using “wget,” which is a computer program that pulls content from web servers.

From there, the malware connects to a command-and-control (C2) server, sending the device’s information to join the botnet, such as IP address and architecture. From there, the victim device is forced to perform at least five different types of DoS attacks.

“This Gafgyt variant can perform different types of DoS attacks simultaneously depending on the commands received from the C2 server,” researchers said. “Themain()function of the malware calls another function called processCmd() to process the command and initiate a corresponding attack.”

One such attack calls the VSE function and contains a payload to attack game servers running the Valve Source Engine. Another calls the ​HTTPCF function to attack services security by Cloudflare; still other options target devices that may have been previously infected with competing botnets; or, they can call the endHTTP() function to start an HTTP flooding attack.

“As previously described, the ​VSE command starts an attack against gaming servers running the Valve Source Engine,” researchers said. “Note that this is not an attack on the Valve corporation itself because anyone can run a server for these games on their own network. It is an attack on the servers.”

Upon further investigation, researchers found several fake Instagram profiles selling the source code for the botnet at a wide range of prices.

Gafgyt botnet

After going undercover and interacting with these profiles, researchers were offered a “spot” in the botnet servers from $8 to $150 USD. A “spot” means that a person can pay attackers to add a set of IP addresses against which their already-working botnets will launch a DoS attack, researchers said.

Researchers say they contacted Instagram and alerted them of malicious profiles. Instagram did not respond to a request for comment from Threatpost.

Looking forward, researchers said that the Gafgyt variant shows the dangers of insecure IoT devices.

“In short, an increase of IoT botnets sold on Instagram + low cost + RCE exploits + the presence of wireless routers across all industries means that IoT devices are at increased risk of being recruited into botnets,” said researchers. “This formula shows why every type of industry must be aware of IoT security and implement measures to prevent devices on their network from getting compromised and degrading business continuity.”

What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.

Suggested articles