Akamai Warns of IptabLes and IptabLex Infection on Linux, DDoS attacks

0

Akamai LogoAkamai Technologies, Inc, the leading provider of cloud services for delivering, optimising and securing online content and business applications, has released, through the company’s Prolexic Security Engineering & Research Team (PLXsert), a new cybersecurity threat advisory. The advisory alerts enterprises to a high-risk threat of IptabLes and IptabLex infections on Linux systems. Malicious actors may use infected Linux systems to launch distributed denial of service (DDoS) attacks against the entertainment industry and other verticals.  The advisory is available for download from Prolexic (now part of Akamai) at www.prolexic.com/iptablex.

“We have traced one of the most significant DDoS attack campaigns of 2014 to infection by IptabLes and IptabLex malware on Linux systems,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “This is a significant cybersecurity development because the Linux operating system has not typically been used in DDoS botnets. Malicious actors have taken advantage of known vulnerabilities in unpatched Linux software to launch DDoS attacks. Linux admins need to know about this threat to take action to protect their servers.”

DDoS botnet threat to Linux systems

The mass infestation of IptabLes and IptabLex seems to have been driven by a large number of Linux-based web servers being compromised, mainly by exploits of Apache Struts, Tomcat and Elasticsearch vulnerabilities. Attackers have used the Linux vulnerabilities on unmaintained servers to gain access, escalate privileges to allow remote control of the machine, and then drop malicious code into the system and run it. As a result, a system could then be controlled remotely as part of a DDoS botnet.

A post-infection indication is a payload named .IptabLes or. IptabLex located in the /boot directory. These script files run the .IptabLes binary on reboot. The malware also contains a self-updating feature that causes the infected system to contact a remote host to download a file. In the lab environment, an infected system attempted to contact two IP addresses located in Asia.

Asia apparently a significant source of DDoS attacks

Command and control centres (C2, CC) for IptabLes and IptabLex are currently located in Asia. Infected systems were initially known to be in Asia; however, more recently many infections were observed on servers hosted in the U.S. and in other regions. In the past, most DDoS bot infections originated from Russia, but now Asia appears to be a significant source of DDoS development.

Prevention, detection and DDoS mitigation

Detecting and preventing an IptabLes or IptabLex infestation on Linux systems involves patching and hardening Linux servers and antivirus detection. In the threat advisory, PLXsert provides bash commands to clean an infected system.

DDoS mitigation for the target of a DDoS attacker who controls these infected bots may include rate-limiting DDoS mitigation techniques. In addition, PLXsert shares a YARA rule in the threat advisory to identify the ELF IptabLes payload used in an observed attack campaign.

The IptabLes and IptabLex botnet has produced significant DDoS attack campaigns for which target companies have sought expert DDoS protection. Akamai offers DDoS mitigation solutions to stop DDoS attacks launched from IptabLes and IptabLex bots.

PLXsert anticipates further infestation and the expansion of this DDoS botnet.

Get the IptabLes and IptabLex DDoS Bot Threat Advisory to learn more

In the advisory, PLXsert shares its analysis and details about IptabLes and IptabLex infections, including:

  • Indicators of infection
  • Analysis of the binary (ELF) associated with IptabLes and IptabLex infections
  • Payload initialisation, entrenchment and persistence
  • Network code analysis
  • Case study of a DDoS attack campaign
  • How to hardening Linux servers against this threat
  • Antivirus detection rates
  • Bash commands to clean an infected system
  • YARA  rule to identify an ELF IptabLes payload
  • DDoS mitigation techniques

A complimentary copy of the threat advisory is available for download at www.prolexic.com/iptablex.

Share.