Bashlite, also known as Qbot, Lizkebab, Torlus, and Gafgyt, was discovered in September 2014 after the ShellShock vulnerability found in the Bash command shell was publicized. The Bash command shell is commonly used by Linux and, since many IoT devices operate on Linux, botnet developers quickly took advantage of this widely publicized vulnerability. After Bashlite’s source code was leaked in early 2015, more than a dozen variants of this botnet-creating malware were created and used to infect over 1 million devices. According to researchers who studied this botnet, DVRs and cameras represent 95 percent of all Bashlite infections, home routers represent four percent, and the remaining one percent are Linux servers. Most of the infected devices are located in Brazil, Taiwan, and Columbia and are comprised mainly of vulnerable DVRs labeled “H.264 DVR” manufactured by China-based firm, Dahua Technology. Many of these devices are shipped with telnet access and web interfaces already enabled using default credentials. By the end of August 2016, Flashpoint researchers discovered over 200 C2 servers tied to the Bashlite family of malware. The largest Bashlite C2 server that Flashpoint discovered was communicating with approximately 120,000 bots. Bashlite’s code served as the precursor to the Mirai botnet. 

Reporting

• January 2017: One of the alleged authors of Bashlite claims to have been forced to publish the botnet’s code online after a fellow hacker threatened to dox his information and swat his home. (KrebsOnSecurity)

Technical Details

• A detailed analysis of Bashlite can be found on Flashpoint’s website.