Security researchers from Radware have discovered a new botnet that uses the same vulnerabilities as Satori bots to infect IoT devices through the community of Grand Theft Auto players.
Satori is a derivative version of the notorious Mirai botnet, which in 2016 paralyzed Dyn web services, the provider of DNS services that owners of some of the largest sites use.
Researchers have discovered that the botnet’s command server was located at SanCalvicie.com; the site offered support for the multiplayer mode of Grand Theft Auto: San Andreas.
Video games fans have created an extensive collection of additional components and modifications to make the game experience more vivid and rich. Sites like San Calvicie attract GTA players who want to host their own special versions of GTA for multiplayer mode.
What’s more interesting SanCalvicie.com offered paid DDoS attack services. The website statement started like: “The wrath of God will fall upon the IP address you give us…”
DDoS services were provided with a guaranteed throughput of 90-100 Gbit/s, with vectors such as the Valve Source Engine Query flow and 32-byte flood, TS3 scripts. Starter package price is $20 per IP and 290 to 300 Gb/s DDoS capacity.
A DDoS bot that uses the San Calvicie hosting service and named JenX, is based on the existing code but deployed in a different way than previous versions.
Unlike last year’s IoT botnets, this botnet uses its own servers to perform scanning and exploitation.
Almost all previous IoT botnets, including Mirai, Reaper, Persirai, and Satori use a distributed approach for scanning and exploitation. That is, every infected victim with performs its own search for new victims. Such distributed scanning ensures the exponential growth of the botnet. But to use such approach it is necessary to sacrifice flexibility and complicate the very malicious program.
JenX’s growth rate is relatively low but due to the centralized approach, this botnet is better protected from detection.
Although the circle of persons threatened by JenX is mostly made up of GTA San Andreas users, nothing prevents using this cheap service (only $20 per victim) to launch attacks of 290 Gbit/s against business or government websites. The appearance of this IoT botnet should be seen as a serious warning.
Radware sent out notices of misuse related to JenX, which limited the activity of the botnet, but it still works. The JenX network is implemented in such a way that it is very difficult to turn it off.
As crooks chose a centralized scan and exploit approach, they can easily transfer their malicious activities to bullet-proof hosting services that provide anonymous VPS and dedicated servers in offshore zones. Such suppliers do not care about complaints and abuse and host even the deadliest threats like extortion viruses. Some of such services offer darknet hosting options. If the servers carrying out the exploit are moved to the darknet, it will be much more difficult to track and stop them.