BASHLITE (also known as Gafgyt, Lizkebab, PinkSlip, Qbot, Torlus and LizardStresser) is

malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...

which infects Linux systems in order to launch

distributed denial-of-service attack In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connec ...

s (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400

Gbps In telecommunications, data-transfer rate is the average number of bits (bitrate), characters or symbols (baudrate), or data blocks per unit time passing through a communication link in a data-transmission system. Common data rate units are multi ...

. The original version in 2014 exploited a flaw in the bash shell - the Shellshock software bug - to exploit devices running BusyBox. A few months later a variant was detected that could also infect other vulnerable devices in the local network. In 2015 its source code was leaked, causing a proliferation of different variants, and by 2016 it was reported that one million devices have been infected. Of the identifiable devices participating in these botnets in August 2016 almost 96 percent were

IoT The Internet of things (IoT) describes physical objects (or groups of such objects) with sensors, processing ability, software and other technologies that connect and exchange data with other devices and systems over the Internet or other com ...

devices (of which 95 percent were cameras and DVRs), roughly 4 percent were home routers - and less than 1 percent were compromised

Linux server Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which inc ...

Design

BASHLITE is written in C, and designed to easily cross-compile to various computer architectures. Exact capabilities differ between variants, but the most common features generate several different types of DDoS attacks: it can hold open

TCP TCP may refer to: Science and technology * Transformer coupled plasma * Tool Center Point, see Robot end effector Computing * Transmission Control Protocol, a fundamental Internet standard * Telephony control protocol, a Bluetooth communication s ...

connections, send a random string of junk characters to a TCP or a UDP port, or repeatedly send TCP packets with specified flags. They may also have a mechanism to run arbitrary shell commands on the infected machine. There are no facilities for

reflected Reflection or reflexion may refer to: Science and technology * Reflection (physics), a common wave phenomenon ** Specular reflection, reflection from a smooth surface *** Mirror image, a reflection in a mirror or in water ** Signal reflection, in ...

or amplification attacks. BASHLITE uses a client–server model for command and control. The protocol used for communication is essentially a lightweight version of Internet Relay Chat (IRC). Even though it supports multiple command and control servers, most variants only have a single command and control IP-address hardcoded. It propagates via brute forcing, using a built-in dictionary of common usernames and passwords. The malware connects to random IP addresses and attempts to login, with successful logins reported back to the command and control server.

References

{{IoT Malware Denial-of-service attacks Botnets IoT malware Linux malware

Design

See also

References