DDoS Botnet goes after Linux Systems

Wednesday, September 3, 2014 @ 03:09 PM gHale


Enterprises are on alert to a high-risk threat of infections to Linux systems.

Once infected with IptabLes and IptabLex, bad guys may use these Linux systems to launch distributed denial of service (DDoS) attacks against the entertainment industry and other verticals, said officials at security firm, Akamai Technologies.

RELATED STORIES
Botnet Variants Targeting Europe, U.S.
Botnet Stays Strong Globally
Cloud Botnets able to Mine Coin
After Takedown, Botnet Returns

The mass infestation of IptabLes and IptabLex seems to have been the result of a large number of Linux-based web servers suffering compromise, mainly by exploits of Apache Struts, Tomcat and Elasticsearch vulnerabilities.

Attackers used the Linux vulnerabilities on unmaintained servers to gain access, escalate privileges to allow remote control of the machine, and then drop malicious code into the system and run it. As a result, a system could then end up controlled remotely as part of a DDoS botnet.

A post-infection indication is a payload named .IptabLes or. IptabLex located in the /boot directory. These script files run the .IptabLes binary on reboot.

The malware also contains a self-updating feature that causes the infected system to contact a remote host to download a file. In the lab environment, an infected system attempted to contact two IP addresses located in Asia.

“We have traced one of the most significant DDoS attack campaigns of 2014 to infection by IptabLes and IptabLex malware on Linux systems,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, at Akamai.

“This is a significant cybersecurity development because the Linux operating system has not typically been used in DDoS botnets. Malicious actors have taken advantage of known vulnerabilities in unpatched Linux software to launch DDoS attacks. Linux administrators need to know about this threat to take action to protect their servers,” Scholly added.

Command and control centers (C2, CC) for IptabLes and IptabLex are currently in Asia. Infected systems were initially in Asia; however, more recently other infections ended up observed on servers hosted in the U.S. and in other regions.

In the past, most DDoS bot infections originated from Russia, but now Asia appears to be a significant source of DDoS development.



Leave a Reply

You must be logged in to post a comment.