First and foremost let me be very clear, I work for Akamai Technologies in my day job. We purchased Prolexic in early 2014 and now, I have access to a lot of their research. So, without further ado allow me to introduce the IptabLes/IptabLex DDoS botnet.
In the second quarter of 2014 the research team had an opportunity to study a new botnet in the wild and they were able to measure its activity and review the code itself. What they found was that this was a distributed botnet that could launch DDoS campaigns which would launch DNS and SYN flood based attacks. This botnet was first discovered in Asia and in the code it had hardcoded IP addresses embedded in it that track back to China.
The question that first comes to mind is, “How would I know I’m infected?”. Straight away what you can do is scan your Linux systems for two files names in particular. Those are,
The binary was written with Linux based systems in mind to allow for the infection of hosts such as Debian, Ubuntu, CentOS and Red Hat.
The next question would be “How did it get in my system?”. The attack vector in this case appears to involve Linux servers running vulnerable versions of Apache Tomcat, Struts or Elasticsearch. The breach is executed using known exploits and then the attackers escalate their privileges once they gain a toe hold and then install the aforementioned binary.
The interesting thing about this botnet is that it requires root level privilege in order to function properly. The bot will attempt to propagate itself to other systems once installed. After installation it also has the ability to download and update files. In most cases the bot will run two versions of itself. This is due to the fact that web servers do not typically run with root privileges (with good reason). One basic install and a second with the advanced features. The bot then attempts to establish a connection with the command and control servers.
From the Advisory:
The IptabLes ELF binaries include a function that indicates a self-updating feature. The function named updatesrv will connect to a remote host and attempt to download a file. It sends the remote host a randomly generated string as the file name, and then the remote host will send the file via an established TCP connection. After being decompressed, the remote file replaces the original file.
In the lab environment, the malware attempted to contact two IP addresses located in Asia. The communication attempts to establish a TCP connection over port 1001 to the IPs.
When the team reverse engineered the binary they were able to discover some of it’s DDoS capability. The main attack that has been witnessed was a DNS flood however, recently SYN floods have been more prevalent.
As this botnet grows we’ll likely see more ability for it to launch attacks. Right now the botnet was witnessed to be able to deliver 119 Gbps bandwidth in one attack.
What’s the take away? If you’re running a Linux based server have a look through your systems for the presence of this binary. Also, make sure that your systems are patched to current to avoid this and other possible problems in the future.
(Image used under CC from BagoGames)