Gafgyt Strikes Back: A botnet exploits vulnerabilities in D-Link devices

Some D-Link devices appear to be exploited thanks to a vulnerability from a variant of the well-known malware, Gafgyt . The news was disclosed by researchers from the Netlab 360 group who set out to study the new variant. It would appear that the malware's favorites are mostly some D-Link routers and potentially Internet of Things (IoT) devices .

What is Gafgyt, the malware that exploits vulnerabilities in D-Link

Gafgyt is well-known malware , which appeared for the first time in 2014 and then spread over the years under other names which, through vulnerabilities of various devices, is able to organize a widespread attack. This type of virus does not directly damage the infected computer but uses it as an attack weapon towards a greater target. In these cases we speak of Distributed Denial of Service (DDoS), an attack that uses a battery of devices, unaware of being infected, to typically hit a service of a large company, saturating its resources.

A botnet exploits a series of devices to launch an attack against a single target, saturating its resources.

Let's try to understand how it works in detail:

  1. Users browsing the web can run into malware that, by exploiting a probable known vulnerability of the system, manages to take control of it;
  2. Once a significant amount of infected devices has been reached, the attacker prepares the instant in which the requests for the service to be saturated will start;
  3. At the appropriate time, all devices will start making requests to the attacked server, simultaneously and continuously;
  4. The server, which typically has a certain amount of bandwidth available, will however find itself handling an unexpected amount of requests that could cause, at best, the impossibility of accepting requests from real users, at worst, malfunctions. more extensive.

Gafgyt is able to launch attacks through the TCP and UDP protocols, opening numerous connections to the attacked server. Its evolution Gafgyt_tor takes advantage of the Tor network for the coordination phase, making it more difficult to find and stop.

Tor Network

The complex network system referred to as the Tor Network is very often known to be the dark web. In this world, parallel to the Internet, it is more difficult to track cars and transmissions because all browsing is based on anonymity. This concept is obtained thanks to a vast network of routers connected to each other thanks to layered encrypted communications (hence the name onion router by analogy with the layers of the onion).

Basically, while when we connect to a web service on the Internet, the connection is established between us (the client) and the web service (the server), on the dark web the connection occurs in pieces from one router to another through a circuit. virtual between Tor nodes. Of course, the more routers used along the way, the more difficult it will be to find the author of the request.

Gafgyt_tor uses the anonymity mechanism to communicate with the Command and Control server (C2) without being identified. In fact, in the initial phase of the infection it establishes a connection to a Tor proxy (from a list of over one hundred nodes and constantly expanding) and at that point it asks the C2 server for instructions through the dark web.

Spread of GagFyt

At the moment it would appear that malware propagation occurs mainly through weak Telnet passwords and the following three vulnerabilities:

  • D-Link Remote Code Execution (CVE-2019-16920); the attacker is able to gain complete control of the system (in this case some D-Link devices) by sending an arbitrary input to the gateway interface (CGI);
  • Liferay Portal Remote Code Execution (CVE-2020-7961); the deserialization of JSON objects is exploited to take over the remote server (Liferay, in fact, is a Java-based CMS to manage web content);
  • Citrix Remote Code Execution (CVE-2019-19781); a vulnerability concerning the Application Delivery Controller and the Citrix Gateway which, by exploiting remote code execution, allows to cross the file system.
Device vulnerabilities are used by malware to take over the system.


Even if these attacks do not affect us directly (even if we could be unsuspecting sacrificial victims) we must be extremely careful with what we download from the web . Periodic antivirus analysis can in any case prevent the presence of malicious software on our computers. As for devices, however, it is always good to keep the software updated because any vulnerabilities can be fixed during updates.

Finally, those who are the ultimate victims of the distributed attack can adopt advanced techniques and tools (but which refer to firewalls to put it simply) that can identify an unusual use of the network or system resources. During these circumstances, if the automatisms see unusual behavior, they can decide to refuse incoming connections from a certain address or port, safeguarding the health of the system.

The Gafgyt Article Strikes Back: A Botnet Exploits Vulnerabilities in D-Link Devices Comes from Tech CuE | Close-up Engineering .