Pierluigi Paganini November 03, 2019

Palo Alto Networks discovered a new version of Gafgyt botnet composed of Home & Small Office Wireless routers used to attack gaming servers.

Palo Alto Networks researchers discovered a new version of Gafgyt botnet targeting home & small office wireless routers, including Zyxel and Huawei routers, as well as devices with Realtek RTL81xx chipset.

According to the experts, crooks are using the botnet for DoS attacks against servers running the Valve Source engine.

The new version of the Gafgyt botnet exploits three known remote code execution vulnerabilities affecting the targeted devices.

Gafgyt is a popular choice for launching large-scale DDoS attacks and it has been around since 2014, the latest variant borrows the code from the JenX botnet.

“In September 2019, during the proactive IoT threat-hunting process conducted daily by the Unit 42 (formerly Zingbox security research) team, we discovered an updated Gafgyt variant attempting to infect IoT devices; specifically small office/home wireless routers of known commercial brands like Zyxel, Huawei, and Realtek.” reads the analysis published by PaloAlto Networks. “This Gafgyt variant is a competing botnet to the JenX botnet, which also uses remote code execution exploits to gain access and recruit routers into botnets to attack gaming servers – most notably those running the Valve Source engine – and cause a Denial of Service (DoS).”

Experts from Palo Alto Networks’ Unit 42 pointed out that two of the three exploits included in the new variant of the Gafgyt were also present in JenX:

• CVE-2017-18368​ – ZYXEL P660HN-T1A – new in Gafgyt
• CVE-2017-17215​ – Huawei HG532 – also used by JenX
• CVE-2014-8361​ – Realtek RTL81XX chipset – also used by JenX

Al the flaws are old, this means that attackers aim at infecting unpatched IoT devices.

Querying the Shodan search engine for vulnerable devices experts obtained 32,000 results.

The new Gafgyt variant can run multiple types of DoS attacks concurrently, one of which dubbed VSE leverages a payload to attack game servers running the Valve Source Engine.

“This payload is widely used to cause a Distributed reflection Denial of Service (DrDoS), which involves multiple victim machines that unwittingly participate in a DDoS attack.” continues the analysis. “The Source Engine Query is part of routine communications between clients and game servers using Valve software protocols. Requests to victim host machines are redirected, or reflected, from the victim hosts to the target. As a consequence, they also elicit an amplified amount of attack traffic, causing a DoS on the target host.”

Experts discovered that the new Gafgyt bot also attempt to deactivate any competing bot installed on the target machine by searching for binary names and keywords associated with other IoT bots, including Mirai, JenX, Hakai, Miori, and Satori.

Experts also provided some data related to hit-and-run DDoS services available online and advertised on social media platforms like Instagram.

The price ranges between $8 and $150 USD.

“Wireless routers are widely used in all industries, making them common targets of these types of attacks and we’re constantly looking for new malware against which we can protect our customers. The diversity of hosts attacked by IoT botnets is wider than before and gaming servers have become a popular target. Likewise, common malware marketplaces used to be more underground like the dark web and underground forums, but now malware is being sold on social networks.” concludes the analysis. “Malware samples and DoS attack codes are easily available to anybody, and they can launch massive attacks for a few dollars without much if any previous technical knowledge.”

Pierluigi Paganini

(SecurityAffairs – Gafgyt botnet, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]