Gafgy Botnet – Practitioner of the BaaS Mode

Gafgy Botnet – Practitioner of the BaaS Mode

March 2, 2019 | Adeline Zhang

Overview

In an era of everything being connected, with the increase of IoT devices exposed on the Internet and vulnerabilities detected in them, more and more malware focuses on the inexhaustible zombie repository. Therefore, IoT platform-based malware families have undergone an exponential growth. The year 2018 alone saw 21 new variants from IoT-based botnet families.

Gafgyt is the most active botnet family. Thanks to its flexibility and simplicity, Gafgyt has gained more favor from hackers than others IoT-based botnet families such as Mirai, XorDDoS, mayday, and GoARM and therefore is the focus of NSFOCUS Fu Ying Labs as well. Recently, We have detects frequent attack activities of the Gafgyt family which obviously show its recovery sign. With an in-depth analysis of its recent instruction dispatch activities, we find that its behavior pattern is consistent with the idea of Botnet-as-a-Service (BaaS) and the hackers owning these C&C servers show show a keen desire for peer competition and propaganda, as evident in attack instructions.

BaaS

In the past, for botnets, attackers actively created and spread malware to infect devices and then manipulate these devices to launch large-scale DDoS attacks. In this case, when to attack totally depended on the attackers’ working time. Besides, a successful attack demands good technical abilities and the accumulation of botnet resources. Therefore, It is not hard to understand why the popularity of anti-virus software led the massive botnet-based DDoS attacks to show a declining trend.

Botnets working in BaaS mode provide the rental service. In other words, they grant the users who lacks botnet resources and technical ability, with the right to use a certain number of botnets in a time frame. Thanks to the popularity of automatic payment platforms, users can get a batch of mercenary-like attack resources by just making payment on these platforms. Such botnets can not only provide the agility of launching attacks at anytime and anywhere, but also make users find it more interesting to seem to have everything under control, thus satisfying their desire for control. All these factors make the BaaS mode the mainstream way of making profits from botnets.

As an active Mirai family on IoT platforms, Gafgyt gets transformed by adopting the BaaS mode, becoming a typical botnet case with long-lasting effect.

About Gafgyt

In August 2014, Sony PlayStation Network (PSN) a suffered massive outage caused by a a DDoS attack from the Gafgyt family. The hacker organization, LizardSquad, had claimed responsibility for the attack.

In December 2014, LizardSquad exploited the Gafgyt family to launch a DDoS attack against Microsoft Xbox Live, making millions of gamers unable to connect to the game server.

In January 2015, the source code of the Gafgyt family was made public, which is actually a .c file containing 1600+ lines of code (including the Telnet scanning module and weak password dictionary).

From then on, hackers started to develop a large number of variants (such as Bashlite, Qbot, and Tsunami) based on the Gafgyt family, thereby hiding the signs specific to attacks launched by LizardSquad.

Data Analysis

  1. Distribution of C&C servers

The following heat map shows the geographical distribution of C&C servers of the Gafgyt family.

As shown in the heat map, the C&C servers of the Gafgyt family are mainly distributed in North America and Europe, often gathering in one city. Through a DNS reverse query of the IP addresses of these C&C servers, we found that most of them belonged to small-sized VPS vendors. The security management of these vendors were so ineffective that they failed to meet users’ security requirements and were widely condemned on various forums. As a result, they had to reduce the rental to attract more users.

Therefore, we can conclude as follows: the reason why attackers deploy C&C servers in these areas is that there are cheap VPS resources, and loose and chaotic security management regulations, making them launch attacks at a low cost..

  1. Time distribution of attack instructions

Recently, the C&C servers of various Gafgyt variants have shown high activity. For this reason, we collected all recent attack instruction logs to find out the reasons. The following table lists the distribution of attack instruction delivery time in one day for a C&C server:

00:00-00:59 3.32%
01:00-01:59 1.97%
02:00-02:59 2.08%
03:00-03:59 3.86%
04:00-04:59 3.82%
05:00-05:59 4.05%
06:00-06:59 3.43%
07:00-07:59 5.78%
08:00-08:59 6.71%
09:00-09:59 8.37%
10:00-10:59 9.10%
11:00-11:59 5.17%
12:00-12:59 5.74%
13:00-13:59 4.20%
14:00-14:59 5.28%
15:00-15:59 4.93%
16:00-16:59 3.08%
17:00-17:59 2.70%
18:00-18:59 3.24%
19:00-19:59 2.74%
20:00-20:59 1.81%
21:00-22:59 1.70%
22:00-22:59 3.51%
23:00-23:59 3.43%

So far, most C&C servers of the Gafgyt family whose instructions we have tracked and captured dispatched attack instructions all around the clock. This tells us that the users of these botnets are not disperse in where the C&C servers reside in, but in all major time zones. This indicates that the Gafgyt family has realized the automatic botnet rental process of Pay-Attack, allowing users to conveniently launch DDoS attacks in real time by sending attack instructions to zombies.

  1. Distribution of attack targets

In order to make clear how tenants select targets and what they attack for, we collect statistics on attack target locations and attacked service types. The following heat map shows the geographical distribution of attack targets of the Gafgyt family that we have tracked in nearly a month, showing the severity of the attack events at specific points.

From the geographic perspective, attacks of the Gafgyt family are found worldwide, mainly in the US and Europe.

The following figures show our statistics on the attribution of attacked IP addresses and targeted service types.

As shown in the preceding figures, the Gafgyt botnet mostly targets VPS vendors’ servers with open HTTP services. By reference to some sessions captured by tenants from C&C servers during that time, we learn that botnet administrators usually allocate zombies as mercenaries to provide resources for tenants to launch DDoS attacks against enterprises portals. This is the main source of their income. In this case, sharing zombie resources via automatic payment platforms and cloud servers greatly reduces the botnet-based crime cost, making small and medium-sized businesses potential targets. Arguably, to an extent, this results in the flooding of DDoS attacks.

During off-peak hours, the administrators directly issue instructions (mostly of the “other” type indicated in the attack target attribution figure) to attack the external interfaces of C&C servers of other botnets to compete with peers. Alternative, like LizardSquad, Gafgyt can target XBox LIVE in hope of attract much attention toward its attack capability.

In addition, there are also some C&C servers often hit by members of the same family. Undoubtedly, those family members are often compete with each other.

Summary

As a typical IoT-based botnet, the Gafgyt family always finds favors with hackers, due to easy-to-build services, easy-to-scale functions, and easy access to zombies. Therefore, in order to be more competitive to gain more benefits from the DDoS industry, hackers have polished Gafgyt by equipping it with automatic interfaces and adopting unique competition and promotion means. By implementing the idea of the BaaS mode, hackers behind Gafgyt no longer directly selling attack traffic in a traditional manner, but provide zombies for tenants and allow them to manipulate those zombies in a specified period of time.

About NSFOCUS Fu Ying Labs

NSFOCUS Fu Ying Labs focuses on security threat research and monitoring technologies, covering threat identification, tracing, and capture technologies as well as threat actor identification technologies.

By doing research in botnet threats, anti-DDoS, web confrontation, threats of exploitation of vulnerabilities in popular service systems, ID authentication threats, digital asset threats, threats from the underground industry, and emerging threats, we have a good grasp of threats in the live network so as to identify risks, mitigate harms done by threats, and provide decision-making support for defense against threats.