What is Gafgyt malware? Smart home cybersecurity news [October 2019 edition]
Last month, we shared about major vulnerabilities affecting popular router brands, such as D-Link, Lenovo, and ASUS. Vulnerable wireless routers have made the cut for our smart home cybersecurity news roundup again with the recent news of a new Gafgyt malware variant.
What is Gafgyt malware?
Gafgyt malware first made its appearance back in 2014 as a malware strain that exploited known vulnerabilities in small home and small office (SOHO) routers to launch Distributed Denial of Service (DDoS) attacks, much like those orchestrated by the well-known Mirai botnet.
Since 2014, numerous variants of Gafgyt— also referred to by the names of BASHLITE, Lizkebab, Torlus, and Qbot— have made appearances with different agendas. According to researchers from Level 3 Threat Research Labs (now Black Lotus Labs), by 2016 alone, there were already a million routers and IoT devices compromised by this malware:
Of the one million infected endpoint devices, 96 percent were IoT devices (of which 95 percent were cameras and DVRs), roughly 4 percent were home routers and less than 1 percent were tied to Linux servers. “This represents a drastic shift in the composition of botnets compared to the compromised server- and home router-based DDoS botnets we’ve seen in the past,” the researchers said.
This time around, Gafgyt is not only targeting SOHO routers and IoT, but also other botnets that it finds in its path...
The latest variant of Gafgyt malware targets 32,000+ wireless routers
According to researchers from Palo Alto Networks, the latest variant of Gafgyt malware is competing with the JenX botnet:
This Gafgyt variant is a competing botnet to the JenX botnet, which also uses remote code execution exploits to gain access and recruit routers into botnets to attack gaming servers – most notably those running the Valve Source engine – and cause a Denial of Service (DoS). This variant also competes against similar botnets, which we have found are frequently sold on Instagram. According to Shodan scans, there are more than 32,000 WiFi routers potentially vulnerable to these exploits around the world. Additionally, it abuses one more vulnerability than JenX does:
This particular variant of Gafgyt is targeting these three specific Common Vulnerabilities and Exposures (CVE) in the following router models:
- ZYXEL P660HN-T1A— CVE-2017-18368 is a remote command injection vulnerability in the Remote System Log Forwarding function that can be accessed by an unauthenticated user. (Not present in JenX)
- Huawei HG532— CVE-2017-17215 is a remote code execution vulnerability where an unauthenticated user can target port 37215 with malicious packets for carrying out attacks. (Present in JenX)
- Realtek RTL81XX Chipset— CVE-2014-8361 is a remote code execution vulnerability that allows unauthenticated users to execute arbitrary code via a crafted NewInternalClient request. (Present in JenX)
As Gafgyt uses scanners to exploit these known vulnerabilities, it targets various IoT devices and can conduct several DDoS attacks at the same time. The researchers explain that the main target of this Gafgyt variant is the gaming industry, which it targets through attacking game servers running the Valve Source Engine (VSE):
This is the engine that runs games like Half-Life, Team Fortress 2, and others. Researchers emphasize this isn't an attack on Valve, as anyone can run a server for the games on their own network. This attack targets the servers.
Additionally, this Gafgyt variant performs attacks that kill any other botnets residing on its compromised devices so that it's the only malware strain able to control them.
Key takeaway: Update your router
Gafgyt is just one example of the many types of malware out there targeting vulnerable routers and IoT devices. Of the targeted routers by this latest variant of Gafgyt, all are pretty outdated and have been on the market for years now. This calls to attention the importance of ensuring your router is always running the latest firmware version available, and in some cases, it may be best to just upgrade the device itself entirely to a newer model.
Past smart home cybersecurity news roundup editions:
- June 2019: Linksys Smart WiFi router vulnerability and Android pre-installed backdoor
- July 2019: Website drive-by attacks on home routers
- August 2019: VxWorks and Google Nest Cam IQ Indoor vulnerabilities
- September 2019: SMS-based attacks and major router vulnerabilities