LizardStresser recruits an army of zombie webcams to launch DDoS attacks

Do you have an internet-accessible webcam?

If so, are you sure it is secured with a strong password and not still using the default password that it shipped with?

Because if you have left your internet-accessible webcam unsecured, there is a chance that it has been compromised by malicious hackers and is participating in a wave of enormous distributed denial-of-service (DDoS) attacks against gaming sites, online banks, ISPs, and government departments.

As researchers at Arbor Networks report, there are over 100 botnets being controlled by variants of LizardStresser, a DDoS toolkit originally created by the notorious Lizard Squad hacking gang.

Some members of the original Lizard Squad hang are behind bars or keeping their head low from the authorities, but that doesn’t mean that LizardStresser has ceased its activities. In fact, it has ramped up its activity, with other hacking groups deploying its code – published on the internet by Lizard Squad in early 2015 – for the purposes of mischief-making, extortion and hacktivism.

The botnets are largely made up of IoT-based devices running Linux – in particular internet-accessible webcams – that have been connected to the net without changing their passwords from defaults like “root”, “admin”, “1234”, “password” and the somewhat tragic “changeme”.

Arbor’s researchers explain that IoT (Internet of Things) devices make for ideal DDoS bots for a number of reasons:

• They typically run an embedded or stripped-down version of the familiar Linux operating system. Malware can easily be compiled for the target architecture, mostly ARM/MIPS/x86.
• If they are Internet-accessible, they most likely have total access to the Internet without any bandwidth limitations or filtering.
• The stripped-down operating system and processing power in most IOT devices leaves less room for security features, including auditing, and most compromises go unnoticed by the owners.
• In order to save engineering time, manufacturers of IOT devices sometimes re-use portions of hardware and software in different classes of devices. As a product of this software re-use, the default passwords used to initially manage the device may be shared across entirely different classes of devices.

And it is this last reason – the reuse of default passwords a variety of different products in a particular class – which is the clincher, and opens doors for hackers to compromise a potentially commandeer a huge number of devices.

Researchers claim that the DDoS attacks have spiked at over 400 Gbps, attacking the websites of large Brazilian banks, telecoms companies, two Brazilian government agencies and three large US-based gaming companies. Around 90% of the bots participating in the attack are believes to be webcams.

The shame of it all is, of course, that this was so easy to avoid. If users had changed the default passwords on their internet-enabled webcam software, or if the software itself had insisted that users choose a new password then there would be a far smaller surface of attack for LizardStresser and less opportunities of it to grow its army of zombie webcams.