Palo Alto Networks has discovered an updated Gafgyt variant trying to infect thousands of small office or home wireless routers.
An updated variant of the Gafgyt malware has rendered 32,000 Wi-Fi routers around the world potentially vulnerable to various exploits.
Unit 42, the threat intelligence team at Palo Alto Networks, discovered the variant in September 2019 during a proactive IoT threat-hunting exercise. The Gafgyt botnet was initially uncovered in 2014 and has proven a popular tool for those launching large-scale distributed denial of service (DDoS) attacks.
Since then, many variants of the botnet have evolved, targeting different types of devices in different industries.
The latest Gafgyt variant targets three wireless router models – the Zyxel P-660HN-T1A, the Huawei HG532 and the Realtek RTL81XX. In all models, the malware exploits remote code executions found on the devices. According to Palo Alto Networks, some of the vulnerabilities are more than five years old.
This variant has been linked to Instagram usernames connected to people selling ‘botnet-as-a-service’ packages being sold on Instagram in the price range of $8 to $150.
Methods of attack
The botnet has various methods of attack. It uses the Send HTTP function to incite a HTTP flooding attack and uses other similar functions to overwhelm a server’s resources. It leverage kill options to destroy competing botnets that already exist on the infected device.
Gafgyt contains a payload that can attack game servers running the Valve Source Engine, an engine that runs games such as Half-Life and Team Fortress 2, among others. The research notes that this is not an attack on the Valve corporation itself “because anyone can run a server for these games on their network”.
The payload behind the Valve server attacks is widely used to cause what are known as distributed reflection denial of service attacks (DrDoS).
According to the company’s research, it has observed that wireless routers “are one of the most common IoT devices in organisations across industries, making them targets”. It has warned that as many as 41pc of general IoT devices continue to use default passwords, claiming that 98pc of all IoT device traffic remains unencrypted.