It appears the operators of a gaming server rental business are diversifying their product offering. The company is believed to have built an IoT DDoS botnet, which they are now offering as part of the server rental scheme. It is believed that this is been offered based on one fairly significant clue, that being that the new IoT botnet, called JenX, is operating from the same server used by the company. This server is located at skids.sancalvicie.com. Added to this the IoT’s Command and Control server is found on the same server and domain used by the gaming server rental business, that business being San Calvicie (hxxp://sancalvicie.com).
Researchers from Radware, who discovered JenX, concluded that the new botnet is likely the botnet that powers a DDoS function included in one of San Calvicie's rental offers named "Corriente Divina" by the operators. According to the company’s website for 16 USD, users can rent a GTA San Andreas multiplayer modded server, for 9 USD they can rent a Teamspeak server, and for an additional 20 USD, users can launch DDoS attacks of between 290 and 300 Gbps. The DDoS service offered by the company is claimed to be able to carry out Valve Source Engine Query and 32bytes DDoS floods. They also advertise a "Down OVH" option, suggesting their botnet is large enough to cause problems even for the world's largest ISP and VPS providers.
According to the researchers at Radware JenX is not an entirely new botnet. Rather it is a Frankenstein of sorts. JenX has been built by scrapping together different parts of several IoT botnets, whose source code leaked online in the past year. An example of this can be found in that JenX uses exploits previously used by the Satori botnet to break into devices and ensnare them into its grasp. These exploits being namely CVE-2014-8361 (Realtek SDK Miniigd UPnP SOAP command execution) and CVE-2017–17215 (Huawei Router HG532 arbitrary command execution). It is not only from Satori that JenX has borrowed. JenX also borrowed some techniques from the PureMasuta botnet source code. Details of the Masuta botnet were published Newsky Security in a detailed report explaining how it weaponized a router exploit.
JenX is more than meets the Eye
While JenX borrows from both Satori and PureMasuta, themselves variants of the Mirai IoT malware which was leaked in 2016, this latest botnet has some unique features in its own right. JenX is unique in the sense that operates from a centralized infrastructure. Normally other botnets usually rely on infected hosts to perform the scanning of new hosts, JenX uses a central server. This approach has a few drawbacks. As Pascal Geenens, the researcher analyzing the botnet, explains “The drawback of the central approach is a less than linear growth with the number of deployed servers. Much slower compared to the exponential growth rate of and less aggressive than distributed scanning botnets.”
Another major drawback, perhaps far more critical, is that because of the centralized approach it makes it far easier for security firms like Radware to file legal requests and take down the botnet, as the company did now. At the time it published its report, Radware had already taken down servers hosting the botnet's exploits and were only left with taking down the main command and control server, the same one that also hosts the San Calvicie website. Unfortunately, the main command and control server and thus the San Calvicie website is still operational. At the time of writing the website itself featuring Geenens’ head superimposed on a character from the GTA series in a somewhat childish display of defiance.
A Threat to GTA Players Only
Radware acknowledges that JenX is not a major threat. Only if you frequently play the game are you likely to suffer directly from the operator's actions. The botnet serves a very specific purpose in that it would exclusively be used to disrupt services from competing for GTA SA multiplayer servers. Based on that it is difficult to see that it will be used to deny services across the internet at large. Despite the specific approach, Geenens feels JenX does contain some interesting new evolutions that will be included in botnets in future. This makes it an interesting case in that sense. However, while not necessarily a major threat as of yet there is nothing that stops one from using the cheap $20 per target service to perform 290Gbps attacks on business targets and even government related targets. The operators of San Calvicie may in future see a business opportunity doing exactly that.
According to Geenens’ analysis, JenX can be easily concealed and hardened against takedowns. The operators I this instance opted for a centralized infrastructure there is very little stopping them moving their exploit operations to bulletproof hosting providers who provide anonymous VPS and dedicated servers from offshore zones. To further hard the DDoS service offered by the hackers, who seem to have no moral qualms abusing services, the exploit servers could be moved to the Darknet. If this happens it would make it much more difficult to track down the servers’ location and take them down. Doing this would further add more DDoS attack vectors that could be used against more than just Valve-specific games.
Unfortunately, this scenario is more than a “what if” scenario. The BrickerBot malware did exactly that by operating within the Darknet. BrickerBot is a botnet that permanently incapacitates poorly secured IoT devices before they can be conscripted into Internet-crippling denial-of-service armies. It appeared almost from nowhere managing to perform a nearly 12 attacks per day on average. Hackers are continually illustrating that they are capable of learning the lessons of those who have gone before them. Seeing that IoT devices are notoriously vulnerable to exploitation it seems that it may only be a matter of time till the next DDoS attack makes the headlines for all the wrong reasons.