The operators of a gaming server rental business are believed to have built an IoT DDoS botnet, which they are now offering as part of the server rental scheme.
The prime and pretty obvious clue that ties this new IoT botnet — named JenX— with the gaming server rental service is the IoT’s command-and-control server, located at skids.sancalvicie.com.
The botnet’s C&C server is found on the same server and domain used by the gaming server rental business —San Calvicie (sancalvicie.com).
Botnet most likely used for DDoS-for-hire feature
Researchers from cyber-security firm Radware, who discovered this new botnet, say JenX is likely the botnet that powers a DDoS function included in one of San Calvicie’s rental offers —named “Corriente Divina.”
For $16, users can rent a GTA San Andreas multiplayer modded server, for $9 they can rent a Teamspeak server, and for an additional $20 users can launch DDoS attacks of between 290 and 300 Gbps, according to the San Calvicie site.
The San Calvicie service claims the botnet can carry out Valve Source Engine Query and 32bytes DDoS floods. They also advertise a “Down OVH” option, suggesting their botnet is large enough to cause problems even for the world’s largest ISP and VPS providers.
JenX assembled from the source code of other botnets
According to an analysis by Radware’s Cyber Security Evangelist Pascal Geenens, JenX —the botnet believed to be behind San Calvicie’s DDoS-for-hire service— has been built by scrapping together different parts of several IoT botnets, whose source code leaked online in the past year.
For example, JenX uses two exploits previously used by the Satori botnet to break into devices and ensnare them into its grasp. These are CVE-2014-8361 (Realtek SDK Miniigd UPnP SOAP command execution) and CVE-2017–17215 (Huawei Router HG532 arbitrary command execution).
In addition, JenX also borrowed some techniques from the PureMasuta botnet source code, recently posted online and detailed in this NewSky Security report.
JenX is also different in its own right
Both Satori and PureMasuta are variants of the Mirai IoT malware leaked online in late 2016, but despite this, JenX has its unique parts as well.
The main difference was its centralized infrastructure. While other botnets usually rely on infected hosts to perform the scanning of new hosts, JenX uses a central server.
“The drawback of the central approach is a less than linear growth with the number of deployed servers. Much slower compared to the exponential growth rate of and less aggressive than distributed scanning botnets,” Geenens said.
But this central approach also has a bigger downside, as it makes it easier for security firms like Radware to file legal requests and take down the botnet, as the company did now.
At the time it published its report, Radware had already taken down servers hosting the botnet’s exploits and were only left with taking down the main command and control server, the same one that also hosts the San Calvicie website (still up, sadly).
Not currently a threat
For now, Radware also points out the botnet is not a serious threat. “Unless you frequently play GTA San Andreas, you will probably not be directly impacted,” Geenens said.
“The botnet is supposed to serve a specific purpose and be used to disrupt services from competing GTA SA multiplayer servers. I do not believe that this will be the botnet that will take down the internet,” Geenens added.
“But it does contain some interesting new evolutions and it adds to a list of IoT botnets that is growing longer and faster every month! That said, there is nothing that stops one from using the cheap $20 per target service to perform 290Gbps attacks on business targets and even government related targets. I cannot believe the San Calvicie group would oppose to it.”
But nothing stands in the way of the San Calvicie gang moving their botnet control infrastructure to the Dark Web, where it’s harder to take down and even adding more DDoS attack vectors that could be used against more than just Valve-specific games.