Skip to main content

Hacked Home Routers Power Lizard Squad's DDoS Tool

How did the pugnacious online-prankster group called Lizard Squad muster enough power to knock two major gaming networks offline last month? It appears that the group's distributed denial of service (DDoS) attacks were powered by a botnet comprised of thousands of hacked home routers. If your router still uses its factory-default username and password, then you're vulnerable too.

Lizard Squad's botnet, or array of secretly linked machines, is stitched together by a piece of malware that scans the Internet for routers whose login credentials are the factory default, reports independent security journalist Brian Krebs. In this way, infected routers already in the botnet seek out, log into and infect other vulnerable routers, thus expanding the botnet's power.

MORE: Your Router's Security Stinks: Here's How to Fix It

Lizard Squad has made a name for itself by staging a series of high-profile DDoS attacks on major gaming networks. The attacks started in August, but got major media attention recently when the group took down both Sony's PlayStation Network and Microsoft's Xbox Live network on Christmas Day. DDoS attacks work by overloading a targeted server with requests until the server can't keep up with the demand and goes offline.

Lizard Squad later boasted that the Christmas attacks were a live demonstration of a DDoS tool it dubbed Lizard Stresser, which the group's Twitter account said would be available for rent on the online black market.

On Jan. 4, Krebs and a group of security researchers discovered that the tool is powered by the collective bandwidth of a botnet, comprised of infected home routers and other Linux-based Internet-connected devices. Lizard Squad also boasted in a Tweet on January 9 that its "private ddos [sic] service is powered by 250-500k infected routers."

In other words, it's conceivable that the attack that kept you off your favorite gaming networks on Christmas Day was powered by your own home router.

Though the botnet is primarily comprised of home routers, Krebs says that just about any Internet-connected device with a Linux operating system is vulnerable. Commercial routers from universities and businesses can also be found in the botnet.

The malware itself is a variation of a 2014 piece of malware first detected by Russian security firm Dr. Web. Inside the botnet's malware, Krebs found the botnet controller's Internet address. 

Law enforcement is currently investigating the botnet, but meanwhile, you can protect yourself from this and similar botnet infections by giving your router a strong, unique username and password combination. You should also check to see if your router has the latest firmware installed, and if not, upgrade it.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.