One 、 Virus introduction

Gafgyt（ also called BASHLITE,Qbot,Lizkebab,LizardStresser） It's based on IRC Internet of things botnet program , Mainly used to initiate DDoS attack . It can take advantage of the built-in user name 、 Password dictionary telnet Blasting and righting IOT equipment RCE（ Remote command execution ） Exploit vulnerabilities to spread themselves . On 2015 The source code was leaked and uploaded to github, Since then, many varieties have been derived , The next year on the Internet IOT The total number of infections on the equipment reached 100W.Gafgyt The family has initiated a peak 400Gbps Of DDoS attack . By 2019 end of the year ,Gafgyt The family is still apart from Mirai The largest active IOT botnet family outside the family .

Two 、 Function module

Gafgyt family bot The main functions of the program are divided into 3 A module ：

1、Downloader modular . Hard coded by samples url download shell Scripts and other accompanying samples , Then execute the downloaded scripts and samples , Realization bot Program propagation ;

2、Scanner modular .bot After the program runs , First, the first packet will be sent to the control end , And this first package and the usual botnet There is a big difference in the first package of the virus family , common botnet The first package of the virus family contains information such as system configuration , and Gafgyt The first packet of data is “BUILD RAZER.”, The control end usually replies “!* SCANNER ON”, Command the controlled end to follow