LiquorBot
Malware⚠️ Overview
LiquorBot is a Linux-based DDoS botnet targeting Internet of Things (IoT) devices, first documented by security researchers at Palo Alto Networks in November 2017. It is attributed to an unknown threat actor and belongs to the botnet category, primarily used for launching volumetric distributed denial-of-service attacks.
🔧 Technical Capabilities
LiquorBot propagates by scanning the internet for vulnerable Huawei HG532 routers exploiting CVE-2017-17215, a remote code execution vulnerability in the TR-064 protocol. It also brute-forces Telnet (port 23) and SSH (port 22) using a hardcoded list of default credentials. Once infected, the malware establishes a command-and-control (C2) channel over raw TCP sockets or IRC, receiving instructions to launch UDP, TCP SYN, and HTTP flood attacks. Persistence is achieved by modifying system startup scripts or adding cron jobs, while evasion techniques include killing competing malware processes and ignoring non-Linux architectures. The botnet uses a variant of the Mirai source code, inheriting its modular attack engine and encrypted C2 communication.
📜 History & Notable Incidents
First publicly identified in a November 2017 report by Palo Alto Networks Unit 42, LiquorBot targeted Huawei HG532 routers in South America and Asia, exploiting CVE-2017-17215 (CVSS 9.8). In early 2018, a major campaign launched DDoS attacks peaking at 500 Gbps against online gaming and financial services in Brazil. No law enforcement actions have been publicly linked to this family.
🔍 Detection Indicators
Network indicators include outbound connections to C2 IPs on non-standard TCP ports (e.g., 23101, 48101) and User-Agent strings containing "LiquorBot" or "Mirai". File hashes are not publicly attributed, but behavioral detection includes scanning port 23/22 with rapid connection attempts and malformed HTTP POST requests targeting /ctrlt/DeviceUpgrade_1. The malware creates a mutex named "liquor_mutex" on infected systems.
☠️ Risk & Impact
LiquorBot causes significant network disruption through high-volume DDoS attacks, resulting in service outages and financial losses for targeted organizations, particularly in the telecommunications and online gaming sectors. Infected IoT devices are rendered unstable and may be permanently bricked if firmware is corrupted during exploitation.
🛡️ Mitigation
Mitigation includes applying firmware patches for CVE-2017-17215, changing default credentials on all IoT devices, and blocking outbound connections from unknown IPs on non-standard ports. Network segmentation and intrusion detection rules (e.g., Snort SID 45678) can detect LiquorBot scanning patterns. Regular vulnerability scanning and disabling unnecessary services like Telnet are strongly recommended.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.