Revealing the notoriety of Gafgyt botnet

• The Gafgyt botnet had first appeared in 2014.
• Over the years, the botnet has evolved to behave the same as Mirai botnet.

Gafgyt, also referred to as BASHLITE, Lizekebab, Torlus and Qbot, is a botnet that was first uncovered in 2014. Originally designed to infect Linux operating system, the botnet opens a back door the compromised computers and steals information.

Gamers are the first target

This long-lived IoT botnet family has evolved with a lot of variants. Over the years, it has grown to a gigantic family that behaves the same as Mirai botnet. Its capabilities include scanning vulnerabilities for conducting DDoS attacks, executing instructions and downloading & executing malware.

Depending on the analysis of the communication traffic log by researchers, it is found that Gafgyt is widely used for cheating in games including Apex Legend, PUBG, Fortnite, GTA, Minecraft, and R6.

The operators of the botnet attack the game servers with an intent to increase the network latency of opponent players on the same server. This ultimately prevents the player to proceed normally with a game or even disconnects them from the game completely.

During the first quarter of 2019, ports meant for gaming such as Port 80, Port 3074, Port 30100, Port 30000 and Port 30200 were found to be frequently targeted by Gafgyt botnet. This indicates that the botnet is extremely active against game servers.

Routers are also one of the targets

Apart from targeting game players, the botnet was also used recently to detect vulnerabilities in routers from different vendors like D-Link, Huawei, GPON, Eir, Cisco and NETGEAR.

The botnet attempts to brute-force the routers using commonly used usernames and passwords.

Besides routers on the internet, Gafgyt also attacks other vulnerable IoT devices. The highly-exploited vulnerabilities include CVE-2015-7254, CVE-2014-8361, CVE-2018-10561 among others.

The threat level of the botnet

• According to Black Lotus Labs, by 2016 alone, there were already a million routers and IoT devices compromised by the botnet. Of the one million, 96 percent were IoT devices and roughly 4 percent were home routers and less than 1 percent were tied to Linux servers.
• Palo Alto Networks researchers, in their new study, have uncovered that the latest variant of the botnet is competing with the JenX botnet by targeting more than 32,000 wireless routers.

Recommendations

• Patching vulnerabilities with security updates is the first and foremost mitigation measure to prevent attacks by the botnet.
• Use a firewall to block all malicious incoming connections from the internet to services that should not be publicly available.
• Enforce strong and complex password policies to make it difficult to crack password files on compromised computers.
• Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administrative-level access is a legitimate application.
• Turn off and remove unnecessary services. These services can become avenues of attack.