Pierluigi Paganini
September 05, 2014
Akamai’s Prolexic division has uncovered a new botnet dubbed IptabLes and IptabLex, which was used in a series of attacks targeting malware based on Linux servers. The experts revealed that the IptabLes and IptabLex botnet compromises misconfigured and poorly-maintained Linux servers, bad actors are using the malicious architecture to run large DDoS attacks targeting DNS and other infrastructure. The IptabLes and IptabLex botnet had been used to launch numerous DDoS attacks this year, one of them reached a peak of 119 Gbps, on entertainment websites.
“During Q2 2014, Akamai’s Prolexic Security Engineering and Research Team (PLXsert) detected and measured distributed denial of service (DDoS) campaigns driven by the execution of a binary that produces significant payloads by executing Domain Name System (DNS) and SYN flood attacks.” “The mass infestation seems to be driven by a large number of Linux-based web servers being compromised, mainly by exploits of Apache Struts, Tomcat, and Elasticsearch vulnerabilities. ” states the advisory from Akamai.
The IptabLes and IptabLex bot is able to infect versions of Apache Struts and Tomcat, but experts also detected instances that targeted Elasticsearch search servers that have not been patched.
Once the malware infects the server it is able to escalate privileges and wait command from the C&C server. The experts at Prolexic analyzing the binary discovered that it includes two hardcoded IP addresses.
The usage of Linux malware to compromise servers to involve in DDoS is a relatively new tactic, the experts are worried by the IptabLes and IptabLex botnet, even if this campaign appeared to be in its early stages.
“This is a significant cybersecurity development because the Linux operating system has not typically been used in DDoS botnets. Linux admins need to know about this threat to take action to protect their servers.”said Akamai senior vice president and general manager, Security Business, Stuart Scholly.
Akamai experts urge admins to patch and properly configure vulnerable Linux servers.
Experts at Akamai believe that threat actors behind the IptabLes and IptabLex botnet will expand their campaign targeting a larger number of vulnerable Linux servers.
Unfortunately, antivirus are not able to mitigate the cyber threat, Akamai experts revealed that the bot agent has a detection rate of 23 out of 52 despite the campaign started months ago.
Prolexic has released a couple of bash commands to clean a system infected with the ELF IptabLes binary. Once executed the commands administrators must reboot the system and run a thorough system inspection.
Lesson learnt … keep your Linux servers updated and configure it properly
(Security Affairs – IptabLes and IptabLex botnet, malware)
