BASHLITE

BASHLITE
BASHLITE
Technical name	As BashLite ELF/Gafgyt.[letter]!tr (Fortinet); Backdoor.Linux.BASHLITE.[letter] (Trend Micro); As Gafgyt ELF/Gafgyt.[letter]!tr (Fortinet); HEUR:Backdoor.Linux.Gafgyt.[letter] (Kaspersky); DDoS:Linux/Gafgyt.YA!MTB (Microsoft); ELF_GAFGYT.[letter] (Trend Micro); As QBot Trojan-PSW.Win32.Qbot (Kaspersky); Backdoor.Qbot (Malwarebytes); Win32/Qakbot (Microsoft); Bck/QBot (Panda); Mal/Qbot-[letter] (Sophos); W32.Qakbot ( Symantec); BKDR_QAKBOT (Trend Micro); TROJ_QAKBOT (Trend Micro); TSPY_QAKBOT (Trend Micro); WORM_QAKBOT (Trend Micro); Backdoor.Qakbot (VirusBuster); As PinkSlip W32/Pinkslipbot (McAfee); As Torlus
Alias	Gafgyt, Lizkebab, PinkSlip, Qbot, Torlus, LizardStresser
Type	Botnet
Authors	Lizard Squad
Technical details
Platform	Linux
Written in	C

BASHLITE (also known as Gafgyt, Lizkebab, PinkSlip, Qbot, Torlus and LizardStresser) is

Gbps.^[3]

The original version in 2014 exploited a flaw in the bash shell - the Shellshock software bug - to exploit devices running BusyBox.^[4]^[5]^[6]^[7] A few months later a variant was detected that could also infect other vulnerable devices in the local network.^[8] In 2015 its source code was leaked, causing a proliferation of different variants,^[9] and by 2016 it was reported that one million devices have been infected.^[10]^[11]^[12]^[13]

Of the identifiable devices participating in these botnets in August 2016 almost 96 percent were

Linux servers.^[9]

Design

BASHLITE is written in C, and designed to easily cross-compile to various computer architectures.^[9]

Exact capabilities differ between variants, but the most common features

reflected or amplification attacks

.

BASHLITE uses a

hardcoded

.

It propagates via brute forcing, using a built-in dictionary of common usernames and passwords. The malware connects to random IP addresses and attempts to login, with successful logins reported back to the command and control server.

References

^ Cimpanu, Catalin (30 August 2016). "There's a 120,000-Strong IoT DDoS Botnet Lurking Around". Softpedia. Retrieved 19 October 2016.
ZDNet
. Retrieved 25 September 2014.

^ Ashford, Warwick (30 June 2016). "LizardStresser IoT botnet launches 400Gbps DDoS attack". Computer Weekly. Retrieved 21 October 2016.

^ Kovacs, Eduard (14 November 2014). "BASHLITE Malware Uses ShellShock to Hijack Devices Running BusyBox". SecurityWeek.com. Retrieved 21 October 2016.

^ Khandelwal, Swati (November 17, 2014). "BASHLITE Malware leverages ShellShock Bug to Hijack Devices Running BusyBox". The Hacker News. Retrieved 21 October 2016.

^ Paganini, Pierluigi (16 November 2014). "A new BASHLITE variant infects devices running BusyBox". Security Affairs. Retrieved 21 October 2016.

^ "Bash Vulnerability (Shellshock) Exploit Emerges in the Wild, Leads to BASHLITE Malware". Trend Micro. 25 September 2014. Retrieved 19 March 2017.

^ Inocencio, Rhena (13 November 2014). "BASHLITE Affects Devices Running on BusyBox". Trend Micro. Retrieved 21 October 2016.

^ ^a ^b ^c ^d "Attack of Things!". Level 3 Threat Research Labs. 25 August 2016. Archived from the original on 3 October 2016. Retrieved 6 November 2016.

^ "BASHLITE malware turning millions of Linux Based IoT Devices into DDoS botnet". Full Circle. 4 September 2016. Archived from the original on 22 October 2016. Retrieved 21 October 2016.

^ Masters, Greg (31 August 2016). "Millions of IoT devices enlisted into DDoS bots with Bashlite malware". SC Magazine. Retrieved 21 October 2016.

^ Spring, Tom (30 August 2016). "BASHLITE Family of Malware Infects 1 Million IoT Devices". Threatpost.com. Retrieved 21 October 2016.

^ Kovacs, Eduard (31 August 2016). "BASHLITE Botnets Ensnare 1 Million IoT Devices". Security Week. Retrieved 21 October 2016.

^ Bing, Matthew (29 June 2016). "The Lizard Brain of LizardStresser". Arbor Networks. Retrieved 6 November 2016.

v
t
e
Internet of things (IoT) malware
Notable IoT malware

BASHLITE

BrickerBot

Carna

Hajime

Linux.Darlloz

Linux.Wifatch

Mirai

Remaiten

v
t
e
Hacking in the 2010s
← 2000s
Timeline
2020s →
Major incidents
2010

Operation Aurora (publication of 2009 events)

Australian cyberattacks

Operation Olympic Games

Operation ShadowNet

Operation Payback

2011

Canadian government

DigiNotar

DNSChanger

HBGary Federal

Operation AntiSec

PlayStation network outage

RSA SecurID compromise

2012

LinkedIn hack

Stratfor email leak

Operation High Roller

2013

South Korea cyberattack

Snapchat hack

Cyberterrorism attack of June 25

2013 Yahoo! data breach

Singapore cyberattacks

2014

Anthem medical data breach

Operation Tovar

2014 celebrity nude photo leak

2014 JPMorgan Chase data breach

2014 Sony Pictures hack

Russian hacker password theft

2014 Yahoo! data breach

2015

Office of Personnel Management data breach

HackingTeam

Ashley Madison data breach

VTech data breach

Ukrainian Power Grid Cyberattack

SWIFT banking hack

2016

Bangladesh Bank robbery

Hollywood Presbyterian Medical Center ransomware incident

Commission on Elections data breach

Democratic National Committee cyber attacks

Vietnam Airport Hacks

DCCC cyber attacks

Indian Bank data breaches

Surkov leaks

Dyn cyberattack

Russian interference in the 2016 U.S. elections

2016 Bitfinex hack

2017

SHAttered

2017 Macron e-mail leaks

WannaCry ransomware attack

Westminster data breach

Petya and NotPetya
2017 Ukraine ransomware attacks

Equifax data breach

Deloitte breach

Disqus breach

2018

Trustico

Atlanta cyberattack

SingHealth data breach

2019

Sri Lanka cyberattack

Baltimore ransomware attack

Bulgarian revenue agency hack

WhatsApp snooping scandal

Jeff Bezos phone hacking incident

Hacktivism

Anonymous
associated events

CyberBerkut

GNAA

Goatse Security

Lizard Squad

LulzRaft

LulzSec

New World Hackers

NullCrew

OurMine

PayPal 14

RedHack

Teamp0ison

TDO

UGNazi

Ukrainian Cyber Alliance

Groups

Appin

Bangladesh Black Hat Hackers

Bureau 121

Charming Kitten

Cozy Bear

Dark Basin

DarkMatter

Elfin Team

Equation Group

Fancy Bear

GOSSIPGIRL (confederation)

Guccifer 2.0

Hacking Team

Helix Kitten

Iranian Cyber Army

Islamic State Hacking Division

Lazarus Group
BlueNorOff

AndAriel

Lords of Dharmaraja

NSO Group

Numbered Panda

PLA Unit 61398

PLA Unit 61486

PLATINUM

Pranknet

Red Apollo

Rocket Kitten

Stealth Falcon

Syrian Electronic Army

Tailored Access Operations

The Shadow Brokers

xDedic

Yemen Cyber Army

Individuals

Ryan Ackroyd

Mustafa Al-Bassam

Kim Anh Vo

George Hotz

Guccifer

Elliott Gunton

Jeremy Hammond

Junaid Hussain

MLT

Sabu

Track2

Topiary

The Jester

Major vulnerabilities
publicly disclosed

Evercookie (2010)

iSeeYou (2013)

Heartbleed (2014)

Shellshock (2014)

POODLE (2014)

Rootpipe (2014)

Row hammer (2014)

SS7 vulnerabilities (2014)

WinShock (2014)

JASBUG (2015)

Stagefright (2015)

DROWN (2016)

Badlock (2016)

Dirty COW (2016)

Cloudbleed (2017)

Broadcom Wi-Fi (2017)

EternalBlue (2017)

DoublePulsar (2017)

Silent Bob is Silent (2017)

KRACK (2017)

ROCA vulnerability (2017)

BlueBorne (2017)

Meltdown (2018)

Spectre (2018)

EFAIL (2018)

Exactis (2018)

Speculative Store Bypass (2018)

Lazy FP state restore (2018)

TLBleed (2018)

SigSpoof (2018)

Foreshadow (2018)

Dragonblood (2019)

Microarchitectural Data Sampling (2019)

BlueKeep (2019)

Kr00k (2019)

Malware
2010

Bad Rabbit

Black Energy 2

SpyEye

Stuxnet

2011

Coreflood

Alureon

Duqu

Kelihos

Metulji botnet

Stars

2012

Carna

Dexter

FBI

Flame

Mahdi

Red October

Shamoon

2013

CryptoLocker

DarkSeoul

2014

Brambul

Black Energy 3

Carbanak

Careto

DarkHotel

Duqu 2.0

FinFisher

Gameover ZeuS

Regin

2015

Dridex

Hidden Tear

Rombertik

TeslaCrypt

Project Sauron

2016

Hitler

Jigsaw

KeRanger

Necurs

MEMZ

Mirai

Pegasus

Petya and NotPetya

X-Agent

2017

BrickerBot

Kirk

LogicLocker

Rensenware

Triton

WannaCry

XafeCopy

2018

VPNFilter

2019

Grum

Joanap

NetTraveler

R2D2

Tinba

Titanium

ZeroAccess botnet

Retrieved from "https://en.wikipedia.org/w/index.php?title=BASHLITE&oldid=1232782052"

[1] Cimpanu, Catalin (30 August 2016). "There's a 120,000-Strong IoT DDoS Botnet Lurking Around". Softpedia. Retrieved 19 October 2016.

[2] ZDNet
. Retrieved 25 September 2014.

[3] Ashford, Warwick (30 June 2016). "LizardStresser IoT botnet launches 400Gbps DDoS attack". Computer Weekly. Retrieved 21 October 2016.

[4] Kovacs, Eduard (14 November 2014). "BASHLITE Malware Uses ShellShock to Hijack Devices Running BusyBox". SecurityWeek.com. Retrieved 21 October 2016.

[5] Khandelwal, Swati (November 17, 2014). "BASHLITE Malware leverages ShellShock Bug to Hijack Devices Running BusyBox". The Hacker News. Retrieved 21 October 2016.

[6] Paganini, Pierluigi (16 November 2014). "A new BASHLITE variant infects devices running BusyBox". Security Affairs. Retrieved 21 October 2016.

[7] "Bash Vulnerability (Shellshock) Exploit Emerges in the Wild, Leads to BASHLITE Malware". Trend Micro. 25 September 2014. Retrieved 19 March 2017.

[8] Inocencio, Rhena (13 November 2014). "BASHLITE Affects Devices Running on BusyBox". Trend Micro. Retrieved 21 October 2016.

[Level3-9] "Attack of Things!". Level 3 Threat Research Labs. 25 August 2016. Archived from the original on 3 October 2016. Retrieved 6 November 2016.

[10] "BASHLITE malware turning millions of Linux Based IoT Devices into DDoS botnet". Full Circle. 4 September 2016. Archived from the original on 22 October 2016. Retrieved 21 October 2016.

[11] Masters, Greg (31 August 2016). "Millions of IoT devices enlisted into DDoS bots with Bashlite malware". SC Magazine. Retrieved 21 October 2016.

[12] Spring, Tom (30 August 2016). "BASHLITE Family of Malware Infects 1 Million IoT Devices". Threatpost.com. Retrieved 21 October 2016.

[13] Kovacs, Eduard (31 August 2016). "BASHLITE Botnets Ensnare 1 Million IoT Devices". Security Week. Retrieved 21 October 2016.

[14] Bing, Matthew (29 June 2016). "The Lizard Brain of LizardStresser". Arbor Networks. Retrieved 6 November 2016.

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

Design

See also

References