- Oct 23, 2012
- 12,527
A botnet composed of poorly maintained Linux servers has been leveraged by cybercriminals to run significant distributed denial-of-service (DDoS) attacks against companies.
- Code receiving and parsing commands from the C&
The attackers mainly exploit vulnerabilities in unpatched versions of Apache Struts and Tomcat in order to infect the servers, although there have been instances where poorly configured Elasticsearch was used.
Dubbed “IptabLes IptabLex” by researchers at Akamai’s Prolexic division, the botnet has been seen to be employed against entertainment websites, but it may be possible that businesses were also targeted.
To create the bots, the cybercriminals rely on exploits in server software to gain escalated privileges on the Linux systems (Debian, Ubuntu, CentOS and Red Hat), and then drop IptabLes or IptabLex malware for carrying out DNS and SYN flood attacks.
One DDoS, which appeared to originate from Asia, delivered bad traffic that peaked at 119Gbps and 110Mpps in volume, Prolexic says.
According to the analysis of the researchers, IptabLes binary works properly only with elevated privileges and has two versions that can be executed: one with standard capabilities and another with advanced features. After achieving persistence, the threat propagates and establishes a connection to a command and control (C&C) server.
The commands received from the malicious remote server vary from modifications of the system to deploying traffic consuming attacks against a provided target.
The malware integrates self-update functionality, which allows its operators to improve it in time for other types of activities.
“In the lab environment, the malware attempted to contact two IP addresses located in Asia. The communication attempts to establish a TCP connection over port 1001 to the IPs,” Prolexic researchers found.
The malware is not used exclusively on its own for infecting web servers and has been observed to be part of various malicious toolkit components, such as downloader agents.
Mitigating the risk against this type of threat involves hardening the exposed web platform and services through applying the latest patches and updates for the underlying software.
It appears that the malware is detected by at least about half of the scanning engines provided by VirusTotal.
Apart from appealing to an antivirus solution, the company also recommends rate limiting:
“Attackers will typically target a domain with these attacks, so a target web server will receive the SYN flood on port 80 or other port deemed critical for the server’s operation. The DNS flood will typically flood a domain’s DNS server with requests. Assuming the target infrastructure can support the high bandwidth observed by these attacks, rate liminting may be an option.”
YARA rule also comes in handy for identifying and classifying the threats.
Prolexic also provides two bash commands designed to remove the IptabLes binary from the affected system (a reboot is required after running them):
sudo find / -type f -name '.*ptabLe*' -exec rm -f {} ';'
ps -axu | awk '/\.IptabLe/ {print $2}' | sudo xargs kill -9
- Code receiving and parsing commands from the C&
The attackers mainly exploit vulnerabilities in unpatched versions of Apache Struts and Tomcat in order to infect the servers, although there have been instances where poorly configured Elasticsearch was used.
Dubbed “IptabLes IptabLex” by researchers at Akamai’s Prolexic division, the botnet has been seen to be employed against entertainment websites, but it may be possible that businesses were also targeted.
To create the bots, the cybercriminals rely on exploits in server software to gain escalated privileges on the Linux systems (Debian, Ubuntu, CentOS and Red Hat), and then drop IptabLes or IptabLex malware for carrying out DNS and SYN flood attacks.
One DDoS, which appeared to originate from Asia, delivered bad traffic that peaked at 119Gbps and 110Mpps in volume, Prolexic says.
According to the analysis of the researchers, IptabLes binary works properly only with elevated privileges and has two versions that can be executed: one with standard capabilities and another with advanced features. After achieving persistence, the threat propagates and establishes a connection to a command and control (C&C) server.
The commands received from the malicious remote server vary from modifications of the system to deploying traffic consuming attacks against a provided target.
The malware integrates self-update functionality, which allows its operators to improve it in time for other types of activities.
“In the lab environment, the malware attempted to contact two IP addresses located in Asia. The communication attempts to establish a TCP connection over port 1001 to the IPs,” Prolexic researchers found.
The malware is not used exclusively on its own for infecting web servers and has been observed to be part of various malicious toolkit components, such as downloader agents.
Mitigating the risk against this type of threat involves hardening the exposed web platform and services through applying the latest patches and updates for the underlying software.
It appears that the malware is detected by at least about half of the scanning engines provided by VirusTotal.
Apart from appealing to an antivirus solution, the company also recommends rate limiting:
“Attackers will typically target a domain with these attacks, so a target web server will receive the SYN flood on port 80 or other port deemed critical for the server’s operation. The DNS flood will typically flood a domain’s DNS server with requests. Assuming the target infrastructure can support the high bandwidth observed by these attacks, rate liminting may be an option.”
YARA rule also comes in handy for identifying and classifying the threats.
Prolexic also provides two bash commands designed to remove the IptabLes binary from the affected system (a reboot is required after running them):
sudo find / -type f -name '.*ptabLe*' -exec rm -f {} ';'
ps -axu | awk '/\.IptabLe/ {print $2}' | sudo xargs kill -9
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
