A new version of Gafgyt botnet malware has been enlisting routers from Zyxel and Huawei, as well as devices with Realtek RTL81xx chipset, using them for denial-of-service (DoS) attacks against servers running the Valve Source engine.
To compromise the targets, this Gafgyt variant exploits three known remote code execution vulnerabilities affecting the targeted devices.
Old exploits can still ensnare thousands of devices
Gafgyt is a popular choice for launching large-scale DDoS attacks and it has been around since 2014.
It has numerous variants but the latest one is derived from another botnet, JenX, which also relies on exploits for known remote code execution vulnerabilities to deploy DDoS attacks.
In fact, security researchers from Palo Alto Networks’ Unit 42 found that two of the exploits in the new Gafgyt were originally present in JenX:
The age of a vulnerability is not too important when it comes to IoT devices since it is a known fact that patches, when available, are applied with delay.
The researchers say that a search on Shodan showed about 32,000 devices vulnerable to these security issues and reachable over the public internet.
DoS option for game servers
In a report released today, the researchers reveal that the new Gafgyt can run multiple types of DoS attacks at the same time, according to commands received fro the command and control (C2) server.
Among the multiple DoS attack options included, one command is called VSE and it requests a payload specifically for targeting game servers that run the Valve Source engine.
It should be noted that VSE is not aimed at Valve’s game servers or a particular game title but at any machine that is running the Valve Source engine. Half-Life and Team Fortress 2 are among the games that use Valve’s engine.
The payload causes a reflective attack in which requests to the bots are redirected to the target machine, overwhelming it.
Analysis from Unit 42 found that the new Gafgyt looks for code from competing botnets and attempts to deactivate it in order to keep the compromised device for itself. This is achieved by searching for binary names and keywords available in other IoT botnet variants. Among the competitors are JenX, Hakai, Miori, Satori, and Mirai.
DDoS services are common and cybercriminals are not shy on advertising on popular social media platforms like Instagram; and the costs are minimum.
Unit 42 researchers found DDoS offers for as low as $8. The more expensive ones, which cover an extended period of attack, were available for $150 (covers 500 seconds). Even the source code is available for the right money, so it should come as no surprise there are so many IoT botnet variants.
Routers are often targeted by botnet malware because they are designed to always be connected to the internet, so they can be used for DDoS attacks at any time. Furthermore, many users do not update the devices when security patches are available, so vulnerable routers are still in large numbers even if the maker released a fix.