The Grand Theft Auto: San Andreas online community has become the breeding ground for a new botnet made of Internet of Things devices. The botnet can allegedly launch a 300gbps Distributed Denial of Service (or DDoS) attack for anyone willing to pay $20, according to a report released by security firm Radware. Vulnerable routers—specifically those made by Realtek and Huawei—were being enlisted into this botnet.
In a phone interview, Radware security researcher Pascal Geenens told Motherboard he first discovered the botnet when one of his honeypots—a system which lures in malicious attackers—detected malware. The honeypot was monitoring areas in Europe, but Geenens quickly saw that the botnet’s reach was much wider. Over 100 of his honeypots spread out around the globe had picked up the malware infecting insecure IoT devices.
Like the infamous Mirai botnet before it, the malware, which Greenes calls JenX, originates from the online gaming community—in this case Grand Theft Auto: San Andreas servers. The hacker group, known as San Calvicie (Spanish for Saint Baldness), sells modded GTA servers to its customers in three tiers.
Prior to the site going offline, potential customers could choose between three tiers of services from San Calvicie. Image: Radware.com.
The most expensive tier listed above, called Corriente Divina, or “Divine Steam,” allows users to take hold of San Calvicie’s botnet to launch DDoS attacks.
The translation of Divine Stream’s Spanish description reads, “God’s wrath will be employed against the IP that you provide us.”
The San Calvicie site claimed that for just $20 customers could utilize these bots to launch attacks of between 90-100 gbps. Within days this number increased to 290-300 gbps.
“This is half the size of Mirai but it is big enough to bring down most of the online businesses today, even financial institutions,” Geenens said. “You can bring them down and cause a lot of disruption and harm with a 300 gbps attack.”
And while these attacks have focused on disrupting other San Andreas servers, Geenens told Motherboard that there is no reason why the botnet could not be employed to launch more widespread attacks.
“I don’t think that San Calvicie really cares if you are actually attacking a GTA server or a financial institution as long as you pay the $20 I think they would sell the service,” he said.
Motherboard could not confirm whether JenX had been successfully used to attack business other than San Andreas servers.
According to Geenens, San Calvicie’s Command and Control Center—the main server that would scan for vulnerable devices—is hosted by cloud computing company OVH. Part of OVH’s business involves hosting dedicated gaming servers. The company’s website also says it provides, “powerful anti-DDoS GAME mitigation for professionals.” The company experienced the effects of these IoT botnets last year when they found themselves on the receiving end of a massive Mirai attack. OVH did not respond to Motherboard’s multiple requests for comment.
All of this may seem like a undue amount of effort to disrupt the servers of a nearly 14-year-old video game. But behind these seemingly trivial attacks lie large potential profits. By both selling servers and offering buyers powerful attacks, the San Calvicie hackers are able to disrupt their competitors’ servers and draw more gamers back to theirs.
“So that is the whole business model behind it,” Geenens said. “You can rent the servers but then you can also rent DDoS services to attack your competitors and attract more users to the servers that you are renting from San Calvicie.”
Geenens released his full report exposing the attack on February 1 under the title “Los Calvos de San Calvicie.” Concerned that the attackers may target him for retaliation, Geenens said he took some precautionary measures.
“The first thing I did was change all my passwords on all my social media accounts and made sure that my social media accounts were secured and dual factor identification was on,” Geenes said. “So I prepared myself a little bit.”
Several days after the release of his report, San Calvicie updated its website’s home page to feature a crudely photoshopped image of a heavily armed GTA character with Geenens face.
An screenshot from the San Calvicie homepage following Geenes’ report.
The JenX botnet owes its growth to the author of the “Bricker Bot” botnet. Last year, a vigilante hacker, who calls himself The Janit0r, claimed he used his own botnet to permanently disable over 10 million insecure IoT devices. Before leaving the spotlight, however, the Janit0r published part of his Bricker Bot code. Two of these vulnerabilities—CVE-2014-8361 and CVE-2017-17215—make up the foundation of JenX, according to the Radware report.
But where the BrickerBot author crafted his botnet to seek out and permanently disable vulnerable devices in order to protect the internet from would be wrongdoers, JenX appears to be designed solely for profit.
While JenX has grown, it is unlikely that it can reach the same massive scale that its Mirari and Satori predecessors achieved. When the Mirai and Satori botnets infected a device, each of those new controlled bots would scan for more insecure devices themselves. JenX on the other hand, scans for vulnerable devices through a single command and control server. This severely limits JenX’s ability to achieve exponential growth but it also grants it an element of stealth.
“When you have all of the bots scanning then it was very easy to detect all of the bots,” Geenes said of botnets like Mirai. “With this one however you only have a couple of servers that are trying to scan and exploit you so I cannot calculate the size of the bot. So it is much more stealthier.”
In the two weeks since Geenens’ report, the San Calvicie website has gone offline. If you search for SanCalvicie.com today you will be redirected to a site hosted by internet security services company Cloudflare. Cloudflare also did not respond to a request for comment.