BASHLITE
BASHLITE is a malware family targeting Linux-based systems, particularly Internet of Things (IoT) devices such as digital video recorders (DVRs), IP cameras, and routers, to form botnets that conduct distributed denial-of-service (DDoS) attacks.[1][2] First identified in September 2014, it exploits vulnerabilities like the ShellShock flaw in the Bash command shell, as well as weak default credentials on telnet and web interfaces, to propagate and infect devices.[1][3] The malware, also known by aliases including Gafgyt, Qbot, Lizkebab, and Torlus, originated as an IRC-based botnet before evolving to target IoT ecosystems, infecting over one million devices by mid-2016 and establishing command-and-control (C2) servers managing up to 120,000 bots each.[1][2] Its capabilities include executing high-volume DDoS floods via protocols such as TCP SYN, UDP, ICMP, and GRE, with attack potentials reaching up to 400 Gbps; it also daemonizes processes, kills rival malware like Mirai variants, and has been adapted to target cloud environments and GPU resources for cryptomining in recent iterations.[2][4] Primarily affecting DVRs and cameras (accounting for 95% of infections), it has hit routers from vendors like Huawei, Asus, Zyxel, and DrayTek, exploiting remote code execution flaws in these devices.[1][2] BASHLITE's source code leaked in early 2015, spawning over 12 variants and serving as a precursor to the more sophisticated Mirai botnet, which amplified its influence on global cybersecurity by enabling massive DDoS incidents, including a record 620 Gbps attack on security researcher Brian Krebs in 2016.[1][3][2] Ongoing campaigns, such as those in 2019 targeting over 32,000 vulnerable WiFi routers worldwide and 2024 exploits of misconfigured Docker APIs and weak SSH passwords, underscore its persistence and adaptation to modern infrastructures like cloud-native setups; variants remain active as of 2025.[1][5][4][6]Overview
Discovery and Initial Naming
BASHLITE was first detected in September 2014 by security researchers shortly after the disclosure of the ShellShock vulnerability (CVE-2014-6271), a critical flaw in the Bash shell that allowed remote code execution on affected Linux systems.[1] The malware emerged amid widespread exploitation attempts targeting vulnerable servers and embedded devices, with early detections tied to scans leveraging the newly revealed Bash weakness.[7] Trend Micro researchers coined the name BASHLITE to reflect the malware's reliance on the Bash shell for propagation and infection, releasing a dedicated scanner tool just days after ShellShock's public reveal on September 24, 2014.[7] This naming highlighted its Linux-specific nature and distinguished it from prior botnet threats. Subsequent analyses confirmed its focus on commandeering Linux-based IoT devices for coordinated attacks.[8] As awareness grew, other security firms adopted alternative designations based on observed samples and behaviors, including Gafgyt by Trend Micro in parallel references, Lizkebab, Torlus, and Qbot by various researchers tracking its variants.[1][8] Early reports from firms like Trend Micro linked BASHLITE to a surge in Linux infections, particularly on unsecured embedded systems, setting the stage for its role in broader DDoS botnet ecosystems.[9]Core Purpose and Operations
BASHLITE is a malware family designed primarily to infect Linux-based systems and Internet of Things (IoT) devices, enlisting them into a botnet for conducting distributed denial-of-service (DDoS) attacks.[10][1] Its core objective is to overwhelm targeted servers, websites, or networks with excessive traffic, rendering them inaccessible to legitimate users.[11] By exploiting vulnerabilities and weak credentials, BASHLITE transforms everyday connected devices—such as routers, cameras, and digital video recorders—into unwitting participants in these attacks.[12] The operational workflow of BASHLITE begins with the compromise of vulnerable devices, often through scanning for open telnet or SSH ports and attempting logins with default or common credentials.[10] Once infected, the malware establishes a connection to a command-and-control (C2) server, where it awaits instructions from the botnet operator.[11] Upon receiving commands, infected devices execute coordinated flood-based DDoS attacks, such as TCP or UDP floods, directing traffic toward specified IP addresses or domains to exhaust the target's resources.[10] This process allows the botnet to scale attacks rapidly by leveraging the collective bandwidth of numerous compromised systems.[1] BASHLITE demonstrated significant scale potential from its emergence. By mid-2016, research identified over 1 million devices under its influence across multiple C2 servers, highlighting its ability to amass large armies of bots primarily from IoT ecosystems.[1] This growth underscored the malware's reliance on the expanding proliferation of unsecured connected devices.[10]Technical Architecture
Infection Vectors
BASHLITE primarily infects devices by exploiting the Shellshock vulnerability (CVE-2014-6271) in the GNU Bash shell, targeting Linux-based systems through HTTP requests to vulnerable web servers or CGI scripts that invoke Bash.[13] This method allows attackers to execute arbitrary commands remotely, downloading and running malware payloads such as scripts (e.g., bin.sh) that install the botnet agent on unpatched embedded devices, including those using BusyBox for lightweight Unix-like environments common in IoT hardware.[13] In addition to Shellshock, BASHLITE spreads by scanning for open Telnet (ports 23 and 2323) and SSH ports on internet-connected devices, attempting logins with a hardcoded list of weak or default credentials, such as "admin," "root," or "123456."[1][14] This brute-force approach exploits factory-default settings on IoT devices like routers, DVRs, and IP cameras from manufacturers such as Dahua, Zyxel, and Huawei, which often ship with enabled remote access and unchanged passwords.[1] The malware focuses on Linux-based embedded systems and unpatched servers, prioritizing those exposed to the internet via Shodan-like scans for vulnerable ports and services, enabling rapid propagation across networks of IoT devices with minimal security configurations.[1][14]Command and Control Structure
BASHLITE utilizes a centralized command and control (C2) architecture centered on dedicated servers that manage communications with infected IoT devices through a custom protocol modeled after Internet Relay Chat (IRC). The malware embeds hardcoded IP addresses of these C2 servers directly into its binary, enabling bots to connect immediately after infection without relying on dynamic resolution. These servers, frequently hosted on cloud providers or content delivery networks, allow operators to broadcast directives to thousands of compromised devices simultaneously, with analysis identifying 486 unique C2 IPs distributed across 93 autonomous systems in 32 countries.[15] The communication protocol operates over unencrypted TCP connections in plaintext, emulating IRC functionality while remaining lightweight to suit resource-constrained IoT hardware. Bots initiate sessions with C2 servers, typically on IRC-standard port 6667, though propagation often involves Telnet interactions on port 23. Commands are formatted as simple strings prefixed by an exclamation mark, such as!* TCPFLOOD <target IP> <port> <duration> <threads> <flags>, which instruct bots to execute specific actions; observed commands fall into categories like attacks (66.4% of traffic), management (18.4%), and interrupts (13.1%), with keep-alive PING/PONG messages exchanged every 60 seconds to sustain connections.[15][16]
For sustained operation and botnet growth, BASHLITE integrates self-propagation scripts within infected devices that continuously scan the network for new victims using brute-force credential attacks on Telnet and SSH services. Successful infections are reported back to the C2 server via the IRC-like channel, enabling automated expansion without manual intervention from operators; this mechanism, activated by commands like "!SCANNER ON," ensures the botnet's resilience and scale post-infection.[16]