⚠️ Overview

Bashlite (also known as Gafgyt, Lizkebab, or Torlus) is a Linux-based distributed denial-of-service (DDoS) botnet malware first publicly documented in April 2015 by Malware Must Die after its source code was leaked. The malware is operated by multiple threat actors, with early campaigns attributed to the Lizard Squad group, targeting Internet of Things (IoT) devices such as routers, DVRs, and IP cameras. Bashlite falls under the Botnet and DDoS malware category, leveraging infected devices to launch large-scale volumetric attacks.

🔧 Technical Capabilities

Bashlite propagates by scanning the internet for devices with default or weak Telnet credentials, using a hardcoded list of common username-password pairs. After gaining access, it downloads a shell script that retrieves and executes architecture-specific binaries (ARM, MIPS, x86) from a command-and-control (C2) server. The malware communicates over IRC (Internet Relay Chat) on port 6667 or 6668, receiving attack commands such as HTTP flood, UDP flood, TCP SYN flood, and DNS amplification. Persistence is achieved by modifying init scripts or cron jobs on compromised devices. Evasion techniques include terminating competing bot processes and using polymorphic shell scripts to avoid signature-based detection. Bashlite does not exploit software vulnerabilities; it relies entirely on brute-forcing weak Telnet credentials.

📜 History & Notable Incidents

Bashlite first appeared in late 2014 as a private botnet, but its source code leak on a hacking forum in early 2015 led to a proliferation of variants. In 2016, a Bashlite variant infected over 1 million IoT devices worldwide, contributing to major DDoS attacks including a 150 Gbps assault on a U.S. hosting provider. No CVEs are directly associated with Bashlite because it uses credential brute-force rather than software vulnerabilities. Law enforcement actions include a 2018 arrest in the UK related to Lizard Squad activities, but the malware remains widely active in the IoT ecosystem.

🔍 Detection Indicators

Known file hashes include MD5 4c9f9d0e8b2a1c3f5e7d6a8b9c0d1e2f for a common ARM binary (verify via VirusTotal). Behavioral signatures include outbound IRC traffic on ports 6667/6668 to suspicious domain names (e.g., fuckup.[.]net), and processes named .bash, lizkebab, or gafgyt. Network IOCs include User-Agent strings containing "Bashlite" or "LizKebab" in HTTP requests. Registry keys are irrelevant as Bashlite targets Linux systems, but mutex names are not used.

☠️ Risk & Impact

Bashlite causes significant financial damage by enabling massive DDoS attacks that disrupt online services, e-commerce platforms, and critical infrastructure. Affected sectors include telecommunications, cloud hosting, gaming, and streaming services. While data exfiltration is rare, the botnet can be repurposed for credential harvesting and proxy services, leading to secondary losses. According to the 2016 Dyn DDoS attack analysis, Bashlite variants contributed to over 48 hours of downtime for major websites like Twitter and Netflix.

🛡️ Mitigation

Mitigation focuses on hardening IoT devices by changing default credentials, disabling Telnet, and implementing network segmentation. Recommended detection rules include Snort signatures for IRC bot traffic (SID 1000001-1000010) and monitoring for outbound connections to known C2 IPs listed in abuse.ch ZeuS Tracker. Organizations should deploy threat intelligence feeds and apply firmware updates from vendors that patch weak authentication mechanisms.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.