LizardStresser Webcam Botnet Strikes Brazil And US With IoT Attacks

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Follow on: Google +

Large financial institutions and gaming companies are amongst those hit by the latest IoT botnet attacks

Attackers have built up a massive botnet of Internet-connected webcams and are using it to launch strikes against targets in Brazil and the US.

The botnet, tracked by computer security firm Arbor Networks, is the latest to misuse the computing power of the Internet-connected devices that make up the so-called “Internet of Things” (IoT).

Cumulative bandwidth

ukraine“Utilising the cumulative bandwidth available to these IoT devices, one group of threat actors has been able to launch attacks as large as 400Gbps targeting gaming sites world-wide, Brazilian financial institutions, ISPs, and government institutions,” Arbor said in an advisory.

Industry observers have warned for some time that the massive number of connected devices flooding onto the market pose a growing security risk, and several large botnets made up of gadgets such as security cameras have already been reported.

Arbor said the attackers used a botnet called LizardStresser, originally written by the Lizard Squad hacking group, which released its source code publicly early last year.The botnet heightens the risk because it is easy to use and can be adapted to run on embedded devices without much difficulty.

Default passwords

“We’ve observed samples compiled for various architectures such as x86, ARM, and MIPS – the most common platforms for IoT devices,” the company said.

LizardStresser has a built-in telnet feature that allows it to scan for devices running known default or weak passwords, Arbor said.

Since such devices are likely already to be compromised, and thus to be running competing malware, the attack group in question singled out webcams running a particular type of generic code, called the NETSurveillance WEB interface, which is used by a number of different webcams and whose default administrator password was available on the Internet.

webcam © jcjgphotography ShutterstockThe group may also have focused on a particular geographic area, since the vast majority of the compromised devices were located in Vietnam, followed by Brazil, Arbor said.

“We believe the threat actors customised the LizardStresser brute-force code to use this published, but under-utilised default password for IoT devices based on the NETSurveillance code,” Arbor said.

Even with such a narrow range of conditions, the attackers were able to construct a botnet of thousands of different units and to launch distributed denial-of-service attacks that peaked at 400 Gbps, without the use of techniques to amplify the traffic’s effect, something Arbor said was “a notable feat”.

The botnet’s targets have so far included two large Brazilian banks, two Brazilian telecommunications companies, two government agencies in the country and three large gaming companies based in the US, Arbor said.

“LizardStresser is becoming the botnet-du-jour for IoT devices given how easy it is for threat actors to make minor tweaks to telnet scanning,” the firm stated. “With minimal reseach into IOT device default passwords, they are able to enlist an exclusive group of victims into their botnets.”

Last month researchers uncovered a botnet made up of more than 25,000 Internet-connected CCTV cameras, following a similar case last autumn in which another firm found a botnet of 900 such devices.


IoT devices are relatively easy to hack because they typically run embedded Linux, for which malware can be easily compiled, and which has little room for security features, Arbor said.

They typically have unrestricted access to the Internet, with no bandwidth caps, making them ideal for launching denial-of-service attacks, and they often re-use portions of hardware and software in different classes of devices, so that default passwords may be shared across different types of hardware, according to Arbor.

“It is this last reason – the reuse of default passwords a variety of different products in a particular class – which is the clincher, and opens doors for hackers to compromise a potentially commandeer a huge number of devices,” the firm wrote.

A study released last year found that up to 68 percent of IT professionals believe business efficiency requirements are forcing their organisations to adopt IoT devices in spite of the security risks.

Are you a security pro? Try our quiz!

SURVEY: Let us know your views on the IoT