Lizard Squad Botnet Hijacks Thousands of Home Routers

Factory-default usernames and passwords for home routers are once again the culprits behind two high-profile distributed denial of service (DDoS) attacks on Sony and Microsoft’s gaming networks.

Both the PlayStation Network and Xbox Live were knocked offline in August and over the holidays respectively by a group known as Lizard Squad. The group runs a DDoS-for-hire service called Lizard Stresser, where people can pay to take corporate or individual websites offline for a specified period of time. According to independent researcher Brian Krebs, the stresser—hosted by a dodgy ISP in Bosnia—is fed by bandwidth from hacked home Internet routers worldwide.

The botnet also contains commercial routers at universities and companies, and Krebs said that there are “undoubtedly” other devices involved.

“The preponderance of routers represented in the botnet probably has to do with the way that the botnet spreads and scans for new potential hosts,” he said in a posting. “But there is no reason the malware couldn’t spread to a wide range of devices powered by the Linux operating system, including desktop servers and Internet-connected cameras.”

This is the latest in bandwidth schemes that Lizard Squad has had.

Investigators told Krebs that it had been renting cloud capacity from Google using stolen credit cards, until Google got wind of the situation and shut them down. And, it was planning to use hundreds of servers to act as Tor relays, taking down the anonymity.

Investigators are working with law enforcement to disrupt the operation, and are making progress on identifying the culprits.

“[The Bosnian ISP]  happens to be on the same ‘bulletproof’ hosting network advertised by 'sp3c1alist,' the administrator of the cybercrime forum Darkode,” Krebs said. “Until a few days ago, Darkode and LizardStresser shared the same Internet address. Interestingly, one of the core members of the Lizard Squad is an individual who goes by the nickname ‘Sp3c.’”

The group also has a hacktivist aspect to it. For one, it appears to support ISIS. It also sent a tweet to American Airlines in August claiming that there was a bomb on board a flight carrying Sony Online Entertainment president John Smedley. The flight, which had 179 passengers, was on its way to San Diego, but made an unplanned landing in Phoenix after the tweet went out. After being checked and cleared by bomb dogs, the flight got back on its way.

What’s Hot on Infosecurity Magazine?