Pierluigi Paganini September 05, 2014

Experts at Akamai-Prolexic discovered a botnet dubbed IptabLes and IptabLex that infects and exploits poorly-maintained Linux servers to run DDoS attacks.

Akamai’s Prolexic division has uncovered a new botnet dubbed IptabLes and IptabLex, which was used in a series of attacks targeting malware based on Linux servers. The experts revealed that the IptabLes and IptabLex botnet compromises misconfigured and poorly-maintained Linux servers, bad actors are using the malicious architecture to run large DDoS attacks targeting DNS and other infrastructure. The IptabLes and IptabLex botnet had been used to launch numerous DDoS attacks this year, one of them reached a peak of 119 Gbps, on entertainment websites. 

“During  Q2  2014,  Akamai’s  Prolexic  Security  Engineering  and  Research  Team  (PLXsert)  detected  and  measured  distributed  denial  of  service  (DDoS)  campaigns  driven  by  the  execution  of  a  binary  that  produces  significant  payloads  by  executing  Domain  Name  System  (DNS)  and  SYN  flood  attacks.” “The  mass  infestation  seems  to  be  driven  by  a  large  number  of  Linux-­based  web  servers  being  compromised,  mainly  by  exploits  of  Apache  Struts,  Tomcat,  and  Elasticsearch  vulnerabilities. ” states the advisory from Akamai.   

The IptabLes and IptabLex bot is able to infect versions of Apache Struts and Tomcat, but experts also detected instances that targeted Elasticsearch search servers that have not been patched.

Once the malware infects the server it is able to escalate privileges and wait command from the C&C server. The experts at Prolexic analyzing the binary discovered that it includes two hardcoded IP addresses.

The usage of Linux malware to compromise servers to involve in DDoS is a relatively new tactic, the experts are worried by the IptabLes and IptabLex botnet, even if this campaign appeared to be in its early stages.

“This is a significant cybersecurity development because the Linux operating system has not typically been used in DDoS botnets. Linux admins need to know about this threat to take action to protect their servers.”said Akamai senior vice president and general manager, Security Business, Stuart Scholly.

Akamai experts urge admins to patch and properly configure vulnerable Linux servers.

Experts at Akamai believe that threat actors behind the IptabLes and IptabLex botnet will expand their campaign targeting a larger number of vulnerable Linux servers.

Unfortunately, antivirus are not able to mitigate the cyber threat, Akamai experts revealed that the bot agent has a detection rate of 23 out of 52 despite the campaign started months ago.

Prolexic has released a couple of  bash  commands  to  clean  a  system  infected  with  the  ELF  IptabLes  binary. Once executed the commands administrators  must reboot  the  system  and  run  a  thorough  system  inspection.

Lesson learnt … keep your Linux servers updated and configure it properly

Pierluigi Paganini

(Security Affairs – IptabLes and IptabLex botnet, malware)