Lizard Squad may be mostly behind bars, but their LizardStresser botnet has spawned more than 100 clones.
According to Arbor Networks' Matthew Bing, the imitators have lit on the Internet of Things, enslaving thousands of dumb devices with code the hacker group published last year.
LizardStresser is an illegal booter service partly-arrested hacking group Lizard Squad built on the back of hacked routers.
It was used, to great outrage, to cripple the Xbox Live service bringing it offline for days during the peak Christmas period at a time when gamers were attempting to update their newly acquired consoles and play online.
Bing says the tweaked and increasing LizardStresser bots have been used to attack banks, telcos, and gaming companies.
"The number of unique LizardStresser command-and-control sites has been steadily increasing throughout 2016," Bing says
"Utilising the cumulative bandwidth available to these IoT devices, one group of threat actors has been able to launch attacks as large as 400Gbps targeting gaming sites world-wide, Brazilian financial institutions, ISPs, and government institutions.
"LizardStresser is becoming the botnet-du-jour for IoT devices given how easy it is for threat actors to make minor tweaks to telnet scanning."
Two of the major Lizard Stresser bots, thought to be run by the same attack group, have set sights on Brazil, Bing says.
"The threat actors appeared to quickly evolve their tactics minute-by-minute, switching between a HOLD flood to UDP flooding and TCP flooding with a variety of flags. This was likely the threat actors tuning their attacks for maximum impact," Bing says.
Many of the internet-of-things things are pwned thanks to the use of default passwords. This drops the barrier to compromise, while expanding the number of potential devices to compromise.
The downside for attackers is that the weak devices may be already compromised, reducing the available capacity for DDoS.
The DDoS botnet is written in C and runs on Linux, consisting of a client and server.
The client runs on hacked Linux machines connecting to hardcoded command and control servers using a protocol akin to a light IRC chat. ®