1

Risk Factor - High

IptabLes]IptabLex DDoS 8ots

1L - GkLLN
GSI ID: 1077

CVLkVILW
uurlng C2 2014, Akamal's rolexlc SecurlLy Lnglneerlng and 8esearch 1eam (LxserL) deLecLed and
measured dlsLrlbuLed denlal of servlce (uuoS) campalgns drlven by Lhe execuLlon of a blnary LhaL
produces slgnlflcanL payloads by execuLlng uomaln name SysLem (unS) and S?n flood aLLacks. Cne
campalgn peaked aL 119 Cbps bandwldLh and 110 Mpps ln volume. lL appears Lo orlglnaLe from Asla.
Cbserved lncldenLs ln Asla and now oLher parLs of Lhe world suggesL Lhe blnary connecLs back Lo Lwo
hardcoded l addresses ln Chlna.
1
1he mass lnfesLaLlon seems Lo be drlven by a large number of Llnux-
based web servers belng compromlsed, malnly by explolLs of Apache SLruLs, 1omcaL, and LlasLlcsearch
vulnerablllLles.

INDICA1CkS CI I1A8LLS]I1A8LLk INILC1ICN

1he prlnclpal lndlcaLor of Lhls lnfecLlon ls Lhe presence of a Llnux LLl blnary LhaL creaLes a copy of lLself
and names lL !"#$%&'() or !"#$%&'(*! 1he leadlng perlod ls lnLenLlonal and ls lnLended Lo help hlde Lhe
flle. 1hls blnary ls crafLed Lo lnfecL popular Llnux dlsLrlbuLlons such as ueblan, ubunLu, CenLCS and 8ed
PaL.

8eporLs of Lhe lnfecLlon are shown ln llgures 1, 2 and 3.


1
"MMu-0023-2014 - l1W lnfecLlon of LLl .lpLabLex & .lpLabLes Chlna #uuoS 8oLs Malware." ,%-.%/( ,0)$ 12(3,
13 !une 2014.





2

I|gure 1: ked nat pub||c|y reported the comprom|se to |ts customers

I|gure 2: A v|ct|m of IptabLes |nfect|on posted reports of the hacks on a pub||c forum






3

I|gure 3: A trans|ated report of ItabLex ] IptabLes
1he lnfecLlons occur malnly ln Llnux servers wlLh vulnerable Apache 1omcaL, SLruLs, or LlasLlcsearch
sofLware. 1he blnary ls dlsLlncL from Lhe explolLs used Lo conLrol Lhe server. ALLackers are breaklng lnLo
Lhe servers uslng a known explolL
2

3
, escalaLlng prlvlleges, dropplng Lhe blnary lnLo Lhe compromlsed
server, and execuLlng lL.

noL all vulnerablllLles lead Lo Lhe enLlre compromlse of a server. ln order Lo escalaLe prlvlleges, aLLackers
musL be able Lo execuLe code on a LargeLed server. 1hls ls ofLen accompllshed vla remoLe code
execuLlon explolLs or escalaLlon Lhrough a serles of explolLs, such as Lhe followlng:
Apache SLruLs ClassLoader ManlpulaLlon 8emoLe Code LxecuLlon
4

Apache SLruLs ueveloper Mode CCnL LxecuLlon
3




2
"Apache Tomcat : Security Vulnerabilities." Apache Tomcat : List of Security Vulnerabilities. MITRE
Corporation
3
"Apache Struts : Security Vulnerabilities." Apache Struts : List of Security Vulnerabilities. MITRE
Corporation
4
Metasploit. "Apache Struts ClassLoader Manipulation Remote Code Execution." Exploit DB. Offensive
Security, 5 Feb 2014.
5
Metasploit. "Apache Struts Developer Mode OGNL Execution." Exploit DB. Offensive Security, 05 Feb.
2014.





4
Apache 8oller CCnL ln[ecLlon
6

Apache SLruLs 2 uefaulLAcLlonMapper reflxes CCnL Code LxecuLlon
7

Apache SLruLs lncludearams 8emoLe Code LxecuLlon
8

Apache SLruLs arameLerslnLercepLor 8emoLe Code LxecuLlon
9

Apache 1omcaL Manager - AppllcaLlon upload AuLhenLlcaLed Code LxecuLlon
10

Apache 1omcaL/!8oss L!8lnvokerServleL / !MxlnvokerServleL (8Ml over P11) Marshalled
Cb[ecL 8CL
11


1here are reporLs of oLher appllcaLlons belng explolLed, ln addlLlon Lo Lhe ones menLloned, however
Apache SLruLs and 1omcaL seem Lo be Lhe prlnclpal aLLack vecLor of enLry. AfLer Lhe lnlLlal compromlse
and prlvllege escalaLlons, aLLackers wlll proceed Lo drop and execuLe Lhe blnary. uownloader blnarles or
scrlpLs may be used Lo spread and lnfecL compromlsed machlnes wlLh Lhe .lpLabLes boL.

I1A8LLS LLI 8C1 ANALSIS

LxserL has analyzed Lhe blnary assoclaLed wlLh .lpLabLes lnfecLlons. 1he lpLabLes blnary wlll only
funcLlon properly under rooL prlvlleges. ln some cases, Lhe boL wlll run Lwo verslons of lLself: one wlLh
advanced feaLures and one wlLh sLandard capablllLles of Lhe orlglnal payload. 1he boL wlll seL up
perslsLence, propagaLe, and make remoLe connecLlons back Lo lLs asslgned Command-and-ConLrol
server (C2).

Along wlLh Lhe lnfllLraLlon of vulnerable web servers, Lhe lpLabLes boL ls belng used wlLh LoolklL
componenLs such as downloader agenLs. ln such cases, Lhe downloader downloads and execuLes Lhe
conLenLs of remoLe flles. llgure 4 shows Lhe downloader reLrlevlng a remoLe flle named /04!$*$.


6
Metasploit. "Apache Roller OGNL Injection." Apache Roller OGNL Injection. Exploit DB, Offensive
Security, 27 Nov. 2013.
7
Metasploit. "Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution." Exploit DB.
Offensive Security, 27 Jul 2013
8
Metasploit. "Apache Struts IncludeParams Remote Code Execution." Exploit DB. Offensive Security, 5
June 2013.
9
Metasploit. "Apache Struts ParametersInterceptor Remote Code Execution." Exploit DB. Offensive
Security, 22 Mar. 2013.
10
Metasploit. "Apache Tomcat Manager - Application Upload Authenticated Code Execution." Exploit DB.
Offensive Security, 5 Feb. 2014.
11
Rgod. "Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled
Object RCE." Exploit DB. Offensive Security, 4 Oct. 2013.





5

I|gure 4: Code sn|ppet of a down|oader down|oad|ng a remote !"#$%&% f||e
1he /04!$*$ flle, shown ln llgure 3, conLalns a plpe-dellmlLed seL of sLrlngs LhaL deflne Lhe execuLable
name of Lhe boL payload. ln Lhls case lL wlll execuLe Lhe downloaded payloads as .lpLabLes or .lpLabLex.


I|gure S: 1he contents of the run.txt f||e
1he remoLe execuLable Lo download and run ls Lhen called by an addlLlonal user-deflned funcLlon
named 56(--7(*(89:. llgure 6 shows a snlppeL of Lhe downloader preparlng a u8L and Lhen execuLlng Lhe
downloaded flle called ;($)($0#!/%/.


I|gure 6: 1h|s code sn|ppet down|oads a remote, renamed IptabLes pay|oad






6
ALCAD INI1IALI2A1ICN

When Lhe lpLabLes boL ls run, lL wlll flrsL ensure LhaL lL lsn'L already runnlng, and lf lL ls, lL wlll run a
cleanup scrlpL locaLed ln memory Lo clean Lhe sysLem of prlor lnfecLlon(s). 1he orlglnal payload wlll be
removed from Lhe sysLem and Lhe only arLlfacLs remalnlng wlll be Lhe renamed .lpLabLes boLs and Lhelr
sLarLup scrlpLs. llgure 7 shows a cleanup scrlpL.

delallfile

'#!/bin/sh',0Ah
'if [ -z $1 ] ; then',0Ah
'ps -f -C .IptabLes |grep .IptabLes | awk ',27h,'{print $3}',27h,' | xar'
'gs $0 2',0Ah
'ps -f -C .IptabLes |grep .IptabLes | awk ',27h,'{print $3}',27h,' | xar'
'gs $0 2',0Ah
'ps -f -C .IptabLes |grep .IptabLes | awk ',27h,'{print $2}',27h,' | xar'
'gs $0 2',0Ah
'ps -f -C .IptabLes |grep .IptabLes | awk ',27h,'{print $2}',27h,' | xar'
'gs $0 2',0Ah
'ps -axu | grep .IptabLes | awk ',27h,'{print $2}',27h,' |xargs kill -9',0Ah
'ps -axu | grep .IptabLes | awk ',27h,'{print $2}',27h,' |xargs kill -9',0Ah
'ps -C .IptabLes | xargs kill -9',0Ah
'ps -C .IptabLes | grep .IptabLes |xargs kill -9',0Ah
'find / -name *ptabLes | xargs rm -f',0Ah
'find / -name .IptabLes | xargs rm -f',0Ah
'find / -name *ptabLes | xargs rm -f',0Ah
'find / -name .IptabLes | xargs rm -f',0Ah
'rm -f /boot/.stabip',0Ah
'rm -f /boot/.IptabLes',0Ah
'rm -f /etc/rc.d/init.d/IptabLes',0Ah
'rm -f /boot/IptabLes',0Ah
'rm -f /tmp/IptabLes',0Ah
'rm -f /usr/IptabLes',0Ah
'rm -f /usr/.IptabLes',0Ah
'rm -f /etc/rc.d/rc4.d/*IptabLes',0Ah
'rm -f /etc/rc.d/rc1.d/*IptabLes',0Ah
'rm -f /etc/rc.d/rc2.d/*IptabLes',0Ah
'rm -f /etc/rc.d/rc3.d/*IptabLes',0Ah
'rm -f /etc/rc.d/rc0.d/*IptabLes',0Ah
'rm -f /etc/rc.d/rc5.d/*IptabLes',0Ah
'rm -f /etc/rc.d/rc6.d/*IptabLes',0Ah
'rm -f /etc/init.d/IptabLes',0Ah
'rm -f /etc/rc4.d/*IptabLes',0Ah
'rm -f /etc/rc1.d/*IptabLes',0Ah
'rm -f /etc/rc2.d/*IptabLes',0Ah
'rm -f /etc/rc3.d/*IptabLes',0Ah
'rm -f /etc/rc0.d/*IptabLes',0Ah
'rm -f /etc/rc5.d/*IptabLes',0Ah
'rm -f /etc/rc6.d/*IptabLes',0Ah
'rm -rf "$0"',0Ah
'else',0Ah
'if [ -z $2 ] ; then',0Ah
9,'exit',0Ah
9,'else',0Ah
9,'if [ 1 -ne $2 ] ; then',0Ah
9,9,'kill -9 $2',0Ah





7
9,9,'fi',0Ah
9,9,'fi',0Ah
9,9,'fi',0Ah
'exit',0Ah,0
I|gure 7: C|eanup up scr|pt executed by the b|nary to prevent mu|t|p|e |nfect|on
llgure 8 shows a scenarlo where mulLlple verslons of Lhe boL are execuLed. ln mosL cases where a web
server ls noL run as a rooL admlnlsLraLlve accounL buL prlvllege escalaLlon ls posslble, Lhe boL wlll execuLe
Lwo verslons of lLself, one wlLh advanced (pro) feaLures. 1hls verslon can be ldenLlfled by Lhe presence
funcLlon names ln Lhe blnary's sLrlng daLa.


I|gure 8: Mu|t|p|e |nstances of a ma||c|ous b|nary (IptabLes and IptabLex)
1he maln lnlLlallzaLlon of Lhe .lpLabLes boL sLarLs wlLh an aLLempL Lo esLabllsh a connecLlon wlLh Lwo
hardcoded l addresses. 1he boL Lhen sends lnformaLlon abouL Lhe memory and Cu of Lhe vlcLlm's
machlne uslng a funcLlon called )(4<'=;24"4>=! 8elow ls a neLwork capLure of Lhe lnlLlal packeL senL Lo
ldenLlfy Lhe lnfecLed machlne Lo an asslgned C2. 1hls slgnaLure ls unlque Lo Lhe lndlvldual hosL/C2 palr.


I|gure 9: acket capture of a b|nary commun|cat|ng to Is |n the Ch|nese botnet |nfrastructure
Cnce a connecLlon ls esLabllshed, Lhe boL awalLs commands from Lhe C2. 1he commands range from
baslc sysLem modlflcaLlons Lo launchlng uuoS aLLacks.





8
ALCAD LN1kLNCnMLN1 AND LkSIS1LNCL

MosL observed boLs LhaL were dropped onLo compromlsed sysLems were noL named lpLabLes aL Lhe
Llme of Lhe drop. Some names conLaln a random flle name wlLh a .60& exLenslon or common flle
exLenslons such as zlp or /%/. A posL-lnfecLlon lndlcaLlon ls payloads named ."#$%&'() or. "#$%&'(*
locaLed ln Lhe ?&==$ dlrecLory and drops of bash scrlpL flles ln Lhe ?($8 dlrecLory. 1hese scrlpL flles run
Lhe ."#$%&'() blnary on rebooL, and Lhey are symbollc llnks Lo Lhe orlglnal flle locaLed ln ?&==$?"#$%&'().
llgures 10 and 11 show flles Lyplcally assoclaLed wlLh an lnfecLlon of .lpLabLes on a sysLem.


I|gure 10: resence of b|nar|es |n an |nfected system |nd|cates |nfect|on

I|gure 11: Contents of a startup scr|pt |n the ]boot d|rectory |nd|cates ma|ware pers|stence
1he lpLabLes LLl blnarles lnclude a funcLlon LhaL lndlcaLes a self-updaLlng feaLure. 1he funcLlon named
0#<%$()/@ wlll connecL Lo a remoLe hosL and aLLempL Lo download a flle. lL sends Lhe remoLe hosL a
randomly generaLed sLrlng as Lhe flle name, and Lhen Lhe remoLe hosL wlll send Lhe flle vla an
esLabllshed 1C connecLlon. AfLer belng decompressed, Lhe remoLe flle replaces Lhe orlglnal flle.

ln Lhe lab envlronmenL, Lhe malware aLLempLed Lo conLacL Lwo l addresses locaLed ln Asla. 1he
communlcaLlon aLLempLs Lo esLabllsh a 1C connecLlon over porL 1001 Lo Lhe ls.
NL1WCkk CCDL ANALSIS
1he .lpLabLes blnarles were lnlLlally known Lo have lnfecLed vlcLlms ln Asla. Powever, more recenLly
many lnfecLlons have been observed on servers hosLed ln Lhe u.S. and ln oLher reglons.
12

13


1he followlng ls a brlef analysls of Lhe command proLocol of Lhe lpLabLex LhreaL.


12
"Logging Server Compromised (IptabLes and IptabLex)." Information Security. Stack Exchange, 27
May 2014.
13
"My Droplet Has Been Compromised and Is Sending an Outgoing Flood or DDoS. What Do I
Do?" DigitalOcean. N.p., 25 May 2014.





9
.IptabLes command protoco|
lnlLlal research sLaLlcally reverse englneered Lhe command sLrucLure LhaL may have been used Lo
communlcaLe wlLh Lhe malware. 1he malware uses a slmple command sLrucLure wlLh one byLe Lo
ldenLlfy Lhe acLlon and wlLh subsequenL daLa parsed by Lhe assoclaLed funcLlons. 1he auLhors of Lhe boL
used Lhe A-2& compresslon algorlLhm ln an aLLempL Lo obfuscaLe Lhe uuoS commands.

1he lpLabLes boL walLs for commands from a mallclous acLor's C2 server. 1he loglc of Lhls
communlcaLlon beglns ln a Lhread funcLlon named ,B"CDEF where Lhe funcLlon /(8@() ls called. lf a
buffer slze of less Lhan 261 byLes ls recelved, lL passes Lhe packeL buffer Lo Lhe ,GH(%<() funcLlon. llgure
12 shows code LhaL recelves and parses commands from command and conLrol.


I|gure 12: Code that rece|ves and parses commands from command and contro|
1he ,GH(%<9: funcLlon conLalns Lhe core funcLlonallLy LhaL parses Lhe recelvlng packeL daLa. MosL
commands can be ldenLlfled by a one-byLe check and conLrol passes Lo subsequenL funcLlons LhaL
operaLe on Lhe daLa from Lhe commands. 1he mallclous acLors appear Lo have aLLempLed Lo hlde Lhe
uuoS commands by applylng a compresslon algorlLhm Lo Lhem (A-2& compresslon wrapper). 8elow ls a
pseudo code verslon of Lhe operaLlon applled when an lncomlng uuoS command ls recelved by Lhe
malware. 1ake noLe of Lhe check for a maglc value of 0xA8CuLl88 ln order Lo conLlnue processlng Lhe
recelvlng packeL daLa.

short len = (short*)(buff + 4)
if *(int*)buff == 0xABCDEF88
if len == buffer_len-6 (minus the header check and the packet length
variable)
Call MyRevise(void* buffer, size_t buf_len)
I|gure 13: seudo code of the operat|on app||ed to an |ncom|ng DDoS command by the ma|ware
1he ,GH(@2)(9: funcLlon ls Lhen called and Lhe compressed payload ls passed as Lhe buffer argumenL.
1hls funcLlon decompresses and processes Lhe daLa ln Lhe buffer. 1he decompressed slze of Lhe buffer
musL be exacLly 112 byLes. Cnce LhaL condlLlon ls saLlsfled, Lhe daLa ls passed Lo a funcLlon called
B<<E%)I() LhaL parses Lhe decompressed daLa and calls Lhe approprlaLe unS or S?n flood Lhread. A
pseudo code demonsLraLlon ls shown below.





10

if ( a1 )
{
new_data = 0;
new_len = 2048;
if ( HbLDeCompress(a1 + 6, a2, &new_data, &new_len) || new_len != 112 )
{
v2 = new_data;
}
else
{
v2 = new_data;
if ( *(_BYTE *)(new_data + 8) & 1 )
{
v3 = *(_DWORD *)(new_data + 0x50);
v4 = *(_DWORD *)(new_data + 0x54);
v5 = *(_DWORD *)(new_data + 0x58);
v6 = *(_DWORD *)(new_data + 0x5C);
v7 = AddTask(new_data);
MySend(&v3, 20);
v2 = new_data;
}
}
free(v2);
}
}
I|gure 14: A pseudo code demonstrat|on of the decompress|on and pars|ng of the DDoS commands
Some of Lhe ldenLlfled uuoS commands are llsLed ln llgure 13.

set|oca||p: 0xC8 + l" -> 86%4;() )=0/8( "D
setrandom|p: 0xCC+"l SLrlng" -> ;(4(/%$() % /%4<=J "D
updatepath]updatesrv: 0x33 + new paLh" -> <=.4-=%< %4< 0#<%$( J%-.%/( (*(80$%&-(
De|ete a 1ask: 0x10 +"1ask number" -> /(J=@() % $%)I 911=5 8=JJ%4<) $%)I):
De|ete A|| 1asks: 0x20 -> 1(-($( %-- 80//(4$-G #(4<24; $%)I)
I|gure 1S: Lxamp|e DDoS commands ca||ed by the Add1ask() funct|on
1hese uuoS commands are called by Lhe Add1ask() funcLlon, as shown ln llgure 16. 8oLh of Lhe Lhreads
parse Lhe daLa passed Lo Lhem and generaLe unlque S?n and unS payloads.






11

I|gure 16: DNS and SN f|ood thread funct|ons ca||ed by the Add1ask() funct|on
1he analysls conducLed wlLhln Lhe lab envlronmenL showed LhaL Lhe blnary exhlblLs uuoS funcLlonallLy.
1wo funcLlons found lnslde Lhe blnary lndlcaLe S?n and unS flood aLLack payloads. 1hese uuoS aLLack
payloads are lnlLlaLed once an aLLacker sends Lhe command Lo an lnfecLed vlcLlm machlne. ayload
funcLlons are shown ln llgure 17.


I|gure 17: ay|oad funct|ons w|th|n the b|nary
C8SLkVLD CAMAIGN
8elow are aLLack slgnaLures observed durlng a uuoS aLLack mlLlgaLed for one of our cusLomers. 1he
maln aLLack vecLor was Lhe unS flood. More recenL campalgns have relled prlmarlly on S?n floods.

SYN Flood
10:41:03.933780 IP x.x.x.x.10535 > x.x.x.x.80: Flags [S], seq 536:1560, win 6000,
length 1024
DNS Flood
15:37:30.794536 IP x.x.x.x.2679 > x.x.x.x.53: 17664+ A? xx.xx.xx. (33)
I|gure 18: Attack s|gnatures for a SN f|ood and DNS f|ood used by ma||c|ous actors |n th|s attack campa|gn







12

San Iose London nong kong
Wash|ngton
DC
Irankfurt
eak blLs per second (bps) 26.40 Cbps 30.20 Cbps 17.00 Cbps 30.10 Cbps 13.30 Cbps
eak packeLs per second (pps) 13.00 Mpps 9.30 Mpps 18.00 Mpps 6.73 Mpps 12.00 Mpps
I|gure 19: Attack sca|e and d|str|but|on
MI1IGA1ICN
MlLlgaLlng Lhls uuoS LhreaL lnvolves paLchlng and hardenlng Lhe server, anLlvlrus deLecLlon and raLe
llmlLlng. ln addlLlon, LxserL has creaLed a ?A8A rule and a bash command Lo deLecL and ellmlnaLe Lhls
LhreaL ln Llnux servers.
atches and harden|ng of the server
1o mlLlgaLe agalnsL posslble lnfecLlon from Lhls blnary lL ls necessary Lo flrsL harden Lhe exposed web
plaLform and servlces by applylng paLches and updaLes from Lhe respecLlve sofLware vendors and
developers:
Apache SLruLs 2 uocumenLaLlon: SecurlLy 8ulleLlns
14

Apache 1omCaL vulnerablllLles and flxes
13

LlasLlcsearch mlLlgaLlon procedures
16


ln addlLlon, Lhere are also fundamenLal Llnux server hardenlng procedures provlded by SAnS lnsLlLuLe
(pdf).
17


1he blnary (LLl) wlll only run on Llnux based sysLems, however aLLackers may be uslng oLher web
explolLs. 1he blnary and Lhe explolLs used Lo break ln are noL co-dependenL.



14
"Security Bulletins." Security Bulletins. Apache Struts.
15
"Security 7." Apache Tomcat. The Apache Software Foundation.
16
Van Der Bijl, Bouke. "Insecure Default in Elasticsearch Enables Remote Code Execution." Bouk.co.
May 2014.
17
Lori Homsher and Tim Evans, Linux Security Checklist, Security Consensus Operational Readiness
Evaluation. SANS Institute.





13
Ant|v|rus detect|on
Several anLlvlrus companles lncludlng McAfee have deLecLlons for Lhls uuoS payload (McAfee ldenLlfles
lL as a generlc Llnux/uuosllooder), however Lhe deLecLlon raLe among anLlvlrus companles ls relaLlvely
low overall for Lhls LhreaL. AL Lhe Llme of Lhls advlsory, vlrus1oLal reporLed only 23 ouL of 34 anLlvlrus
englnes deLecLlng Lhls LhreaL, whlch ls an lmprovemenL from May 2014 when Lhe deLecLlon raLe was 2
ouL of 34 for Lhls blnary.
kate ||m|t|ng
ALLackers wlll Lyplcally LargeL a domaln wlLh Lhese aLLacks, so a LargeL web server wlll recelve Lhe S?n
flood on porL 80 or oLher porL deemed crlLlcal for Lhe server's operaLlon. 1he unS flood wlll Lyplcally
flood a domaln's unS server wlLh requesLs. Assumlng Lhe LargeL lnfrasLrucLure can supporL Lhe hlgh
bandwldLh observed by Lhese aLLacks, raLe llmlLlng may be an opLlon.

Akamal's Cenerlc 8ouLe LncapsulaLlon (C8L) soluLlon allows rouLlng of an enLlre subneL(/24 mlnlmum)
for mlLlgaLlon. 1he aLLack wlll be absorbed by Akamal's soluLlons, allowlng leglLlmaLe users Lo conLlnue
Lo use Lhe slLe and lLs servlces.
AkA ru|e
?A8A ls an open source Lool deslgned Lo ldenLlfy and classlfy malware LhreaLs. lL ls Lyplcally used as a
hosL-based deLecLlon mechanlsm and provldes a sLrong C8L englne Lo maLch ldenLlfylng feaLures of
LhreaLs aL a blnary level or more. LxserL uLlllzes ?A8A rules Lo classlfy LhreaLs LhaL perslsL across many
campalgns and over Llme. llgure 20 conLalns ls a ?A8A rule provlded by LxserL Lo ldenLlfy Lhe LLl
lpLabLes payload ldenLlfled ln Lhls advlsory.

rule IptablesELF
{
meta:
author = "PLXSert"
description = "Rule to detect ELF IpTable DDoS executable"

strings:
$elf = {7f 45 4c 46}
$st0 = "SynFloodSendThread"
$st1 = "DnsFloodSendThread"
$st2 = "SynFloodBuildThread"
$st3 = "DnsFloodBuildThread"
$st4 = "MAINPTH"

$code1 = "list.c"
$code2 = "main.c"
$code3 = "mypth.c"





14
$code4 = "Service.c"
$code5 = "srvnet.c"
$code6 = "ckbuf"
$code7 = "udptest.c"

condition:
($elf at 0 and all of ($st*) and 5 of ($code*) )
}
I|gure 20: AkA ru|e for bot |dent|f|cat|on and c|ass|f|cat|on of I1abLes]I1abLex DDoS bots
8ash commands
1wo bash commands from LxserL are deslgned Lo clean a sysLem lnfecLed wlLh Lhe LLl lpLabLes blnary.
AfLer runnlng Lhese commands, sysLem admlnlsLraLors are advlsed Lo rebooL Lhe sysLem and run a
Lhorough sysLem lnspecLlon.

sudo find / -type f -name '.*ptabLe*' -exec rm -f {} ';'
ps -axu | awk '/\.IptabLe/ {print $2}' | sudo xargs kill -9
I|gure 21: 8ash commands to c|ean a system |nfected w|th the LLI IptabLes b|nary
CCNCLUSICN
1o prevenL furLher lnfesLaLlon and spread of Lhls boLneL lL ls necessary Lo ldenLlfy and apply correcLlve
measures, such as Lhose shown ln Lhls LhreaL advlsory. Command and conLrol cenLers are currenLly
locaLed ln Asla and Lhe boLneL has been used malnly Lo aLLack gamlng and gambllng verLlcals.

Mallclous acLors behlnd Lhls boLneL have produced slgnlflcanL uuoS aLLack campalgns, forclng LargeL
companles Lo seek experL uuoS proLecLlon. 1hls boL seems Lo be ln an early developmenL sLage and
shows several slgns of lnsLablllLy. More reflned and sLable verslons could emerge ln fuLure aLLack
campalgns.

LxserL anLlclpaLes furLher lnfesLaLlon and Lhe expanslon of Lhls boLneL. luLure uuoS aLLack campalgns
may LargeL oLher lndusLry verLlcals and lnvolve oLher reglons. lurLher developmenL wlll llkely be drlven
by opporLunlLles for moneLlzaLlon or Lakeover of Lhe boLneL by dlfferenL groups ln Lhe uuoS-for-hlre markeL.

1he rlse ln lnfecLlon by Lhe .lpLabLes boL creaLes a rlsk for servers LhaL run poLenLlally vulnerable servlces
such as Apache SLruLs and 1omcaL. Mlsconflgured LlasLlcsearch lnsLances have also been LargeLed ln Lhe
aLLacks resulLlng ln Lhe wldespread abuse of Lhls new LhreaL. Akamal (rolexlc) however, offers
mlLlgaLlon soluLlons for Lhese Lypes of volumeLrlc and ampllflcaLlon aLLacks LhaL are exhlblLed ln
.lpLabLes boLs.

LxserL wlll conLlnue observlng Lhls boLneL and wlll produce furLher advlsorles lf warranLed.





15
CCN1kI8U1CkS: Lksert
A8CU1 1nL kCLLkIC SLCUkI1 LNGINLLkING AND kLSLAkCn 1LAM (Lksert)
LxserL monlLors mallclous cyber LhreaLs globally and analyzes Lhese aLLacks uslng proprleLary
Lechnlques and equlpmenL. 1hrough research, dlglLal forenslcs and posL-evenL analysls, LxserL ls able
Lo bulld a global vlew of securlLy LhreaLs, vulnerablllLles and Lrends, whlch ls shared wlLh cusLomers and
Lhe securlLy communlLy. 8y ldenLlfylng Lhe sources and assoclaLed aLLrlbuLes of lndlvldual aLLacks, along
wlLh besL pracLlces Lo ldenLlfy and mlLlgaLe securlLy LhreaLs and vulnerablllLles, LxserL helps
organlzaLlons make more lnformed, proacLlve declslons.
A8CU1 AkAMAI
Akamal ls Lhe leadlng provlder of cloud servlces for dellverlng, opLlmlzlng and securlng onllne conLenL
and buslness appllcaLlons. AL Lhe core of Lhe Company's soluLlons ls Lhe Akamal lnLelllgenL laLform`,
provldlng exLenslve reach, coupled wlLh unmaLched rellablllLy, securlLy, vlslblllLy and experLlse. Akamal
removes Lhe complexlLles of connecLlng Lhe lncreaslngly moblle world, supporLlng 24/7 consumer
demand, and enabllng enLerprlses Lo securely leverage Lhe cloud. 1o learn more abouL how Akamal ls
acceleraLlng Lhe pace of lnnovaLlon ln a hyperconnecLed world, please vlslL www.akamal.com or
blogs.akamal.com, and follow [Akamal on 1wlLLer.