IptabLes and IptabLex DDoS Bots
stateoftheinternetcom
= overview: IptabLes and IptabLex DDoS bots
• The IptabLes and IptabLex botnet DDoS campaigns executed Domain Name System (DNS) and SYN flood attacks • One observed campaign peaked at 119 Gbps bandwidth and 110 Mpps in volume • This threat appears to originate from China • The IptabLes and IptabLex botnet is built from vulnerable and compromised Linux servers • The botnet has been used mainly to attack gaming and gambling verticals • The risk factor for this threat is HIGH
2 / [state of the internet] / threat advisory
= indicators of IptabLes and IptabLex infection • Presence of a Linux ELF binary that creates a copy of itself and names it .IptabLes or .IptabLex • Designed to infect popular Linux distributions • Infections occur mainly in Linux servers with vulnerable software • Attackers must execute code on a targeted server in order to escalate privileges ⁄
Accomplished via remote code execution exploits or escalation through a series of exploits
• Apache Struts and Tomcat seem to be the principal attack vector of entry
3 / [state of the internet] / threat advisory
= IptabLes ELF Bot analysis • The IptabLes binary only functions properly under root privileges • The bot may run two versions of itself. • The IptabLes bot includes toolkit components such as downloader agents • The downloader downloads and executes the contents of remote files
4 / [state of the internet] / threat advisory
This code snippet shows the downloader retrieving a remote file named run.txt
= payload initialization • The bot checks to ensure that it isn’t already running ⁄
If a prior infection exists, it will execute a clean-up script to remove the original payload
• Initialization attempts to establish a connection with two hardcoded IP addresses • Information about the victim’s machine is sent using a function called sendLoginInfo • The bot awaits commands from the Command-and-Control server (C2) • Commands range from basic system modifications to launching DDoS attacks
5 / [state of the internet] / threat advisory
= payload entrenchment and persistence
• Most observed bots in compromised systems were not named IptabLes at the time of the drop ⁄
Some names contain a random file name with a .hub, .zip or .rar extension
• Post-infection indicators are files named .IptabLes or .IptabLex located in the /boot or /etc directories • The IptabLes ELF binaries appear to have a self-updating feature • In the lab environment, the malware attempted to contact two IP addresses located in Asia
6 / [state of the internet] / threat advisory
= network code analysis • The malware uses a simple command structure • The IptabLes bot waits for commands from a malicious actor’s C2 server. • Lab environment analysis showed that the binary exhibits DDoS functionality • These DDoS commands are hidden by a compression algorithm (zlib compression wrapper)
7 / [state of the internet] / threat advisory
= mitigation of the IptabLes/IptabLex botnet • Identify and apply corrective measures ⁄
Patch and harden servers
⁄
Antivirus protection
⁄
Rate limiting
⁄
YARA rule
⁄
Bash commands
• This botnet has produced significant DDoS attack campaigns, forcing target companies to seek expert DDoS protection • PLXsert anticipates further infestation and the expansion of this botnet • Future DDoS attack campaigns may target other industry verticals and involve other regions
8 / [state of the internet] / threat advisory
= threat advisory: IptabLes/IptabLex DDoS Bots • Download the threat advisory IptabLes/IptabLex DDoS Bots for full details • This DDoS threat advisory includes: ⁄ ⁄ ⁄ ⁄ ⁄ ⁄ ⁄ ⁄ ⁄ ⁄
Indicators of infection Analysis of the binary (ELF) Payload initialization and persistence Network code analysis Case study of a DDoS attack campaign How to harden Linux servers against exploits Antivirus detection rates Bash commands to clean an infected system YARA rule to identify an ELF IptabLes payload DDoS mitigation techniques
9 / [state of the internet] / threat advisory
= about stateoftheinternet.com •
StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats.
•
Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations, and other resources designed to put context around the ever-changing Internet landscape.
10 / [state of the internet] / security (Q3 2014)