1. A Linux botnet called IptabLex/IptabLes was discovered in 2014 infecting vulnerable Linux web servers through exploits like Apache Struts and Tomcat vulnerabilities.
2. The IptabLex/IptabLes binary establishes persistence, propagates, and communicates with hardcoded command and control servers in China upon infection.
3. The binary cleans up prior infections, runs multiple versions of itself, and awaits commands from its control servers like modifying the system or launching DDoS attacks.
1. A Linux botnet called IptabLex/IptabLes was discovered in 2014 infecting vulnerable Linux web servers through exploits like Apache Struts and Tomcat vulnerabilities.
2. The IptabLex/IptabLes binary establishes persistence, propagates, and communicates with hardcoded command and control servers in China upon infection.
3. The binary cleans up prior infections, runs multiple versions of itself, and awaits commands from its control servers like modifying the system or launching DDoS attacks.
1. A Linux botnet called IptabLex/IptabLes was discovered in 2014 infecting vulnerable Linux web servers through exploits like Apache Struts and Tomcat vulnerabilities.
2. The IptabLex/IptabLes binary establishes persistence, propagates, and communicates with hardcoded command and control servers in China upon infection.
3. The binary cleans up prior infections, runs multiple versions of itself, and awaits commands from its control servers like modifying the system or launching DDoS attacks.
CVLkVILW uurlng C2 2014, Akamal's rolexlc SecurlLy Lnglneerlng and 8esearch 1eam (LxserL) deLecLed and measured dlsLrlbuLed denlal of servlce (uuoS) campalgns drlven by Lhe execuLlon of a blnary LhaL produces slgnlflcanL payloads by execuLlng uomaln name SysLem (unS) and S?n flood aLLacks. Cne campalgn peaked aL 119 Cbps bandwldLh and 110 Mpps ln volume. lL appears Lo orlglnaLe from Asla. Cbserved lncldenLs ln Asla and now oLher parLs of Lhe world suggesL Lhe blnary connecLs back Lo Lwo hardcoded l addresses ln Chlna. 1 1he mass lnfesLaLlon seems Lo be drlven by a large number of Llnux- based web servers belng compromlsed, malnly by explolLs of Apache SLruLs, 1omcaL, and LlasLlcsearch vulnerablllLles.
INDICA1CkS CI I1A8LLS]I1A8LLk INILC1ICN
1he prlnclpal lndlcaLor of Lhls lnfecLlon ls Lhe presence of a Llnux LLl blnary LhaL creaLes a copy of lLself and names lL !"#$%&'() or !"#$%&'(*! 1he leadlng perlod ls lnLenLlonal and ls lnLended Lo help hlde Lhe flle. 1hls blnary ls crafLed Lo lnfecL popular Llnux dlsLrlbuLlons such as ueblan, ubunLu, CenLCS and 8ed PaL.
8eporLs of Lhe lnfecLlon are shown ln llgures 1, 2 and 3.
I|gure 1: ked nat pub||c|y reported the comprom|se to |ts customers
I|gure 2: A v|ct|m of IptabLes |nfect|on posted reports of the hacks on a pub||c forum
3
I|gure 3: A trans|ated report of ItabLex ] IptabLes 1he lnfecLlons occur malnly ln Llnux servers wlLh vulnerable Apache 1omcaL, SLruLs, or LlasLlcsearch sofLware. 1he blnary ls dlsLlncL from Lhe explolLs used Lo conLrol Lhe server. ALLackers are breaklng lnLo Lhe servers uslng a known explolL 2
3 , escalaLlng prlvlleges, dropplng Lhe blnary lnLo Lhe compromlsed server, and execuLlng lL.
noL all vulnerablllLles lead Lo Lhe enLlre compromlse of a server. ln order Lo escalaLe prlvlleges, aLLackers musL be able Lo execuLe code on a LargeLed server. 1hls ls ofLen accompllshed vla remoLe code execuLlon explolLs or escalaLlon Lhrough a serles of explolLs, such as Lhe followlng: Apache SLruLs ClassLoader ManlpulaLlon 8emoLe Code LxecuLlon 4
1here are reporLs of oLher appllcaLlons belng explolLed, ln addlLlon Lo Lhe ones menLloned, however Apache SLruLs and 1omcaL seem Lo be Lhe prlnclpal aLLack vecLor of enLry. AfLer Lhe lnlLlal compromlse and prlvllege escalaLlons, aLLackers wlll proceed Lo drop and execuLe Lhe blnary. uownloader blnarles or scrlpLs may be used Lo spread and lnfecL compromlsed machlnes wlLh Lhe .lpLabLes boL.
I1A8LLS LLI 8C1 ANALSIS
LxserL has analyzed Lhe blnary assoclaLed wlLh .lpLabLes lnfecLlons. 1he lpLabLes blnary wlll only funcLlon properly under rooL prlvlleges. ln some cases, Lhe boL wlll run Lwo verslons of lLself: one wlLh advanced feaLures and one wlLh sLandard capablllLles of Lhe orlglnal payload. 1he boL wlll seL up perslsLence, propagaLe, and make remoLe connecLlons back Lo lLs asslgned Command-and-ConLrol server (C2).
Along wlLh Lhe lnfllLraLlon of vulnerable web servers, Lhe lpLabLes boL ls belng used wlLh LoolklL componenLs such as downloader agenLs. ln such cases, Lhe downloader downloads and execuLes Lhe conLenLs of remoLe flles. llgure 4 shows Lhe downloader reLrlevlng a remoLe flle named /04!$*$.
I|gure 4: Code sn|ppet of a down|oader down|oad|ng a remote !"#$%&% f||e 1he /04!$*$ flle, shown ln llgure 3, conLalns a plpe-dellmlLed seL of sLrlngs LhaL deflne Lhe execuLable name of Lhe boL payload. ln Lhls case lL wlll execuLe Lhe downloaded payloads as .lpLabLes or .lpLabLex.
I|gure S: 1he contents of the run.txt f||e 1he remoLe execuLable Lo download and run ls Lhen called by an addlLlonal user-deflned funcLlon named 56(--7(*(89:. llgure 6 shows a snlppeL of Lhe downloader preparlng a u8L and Lhen execuLlng Lhe downloaded flle called ;($)($0#!/%/.
When Lhe lpLabLes boL ls run, lL wlll flrsL ensure LhaL lL lsn'L already runnlng, and lf lL ls, lL wlll run a cleanup scrlpL locaLed ln memory Lo clean Lhe sysLem of prlor lnfecLlon(s). 1he orlglnal payload wlll be removed from Lhe sysLem and Lhe only arLlfacLs remalnlng wlll be Lhe renamed .lpLabLes boLs and Lhelr sLarLup scrlpLs. llgure 7 shows a cleanup scrlpL.
7 9,9,'fi',0Ah 9,9,'fi',0Ah 9,9,'fi',0Ah 'exit',0Ah,0 I|gure 7: C|eanup up scr|pt executed by the b|nary to prevent mu|t|p|e |nfect|on llgure 8 shows a scenarlo where mulLlple verslons of Lhe boL are execuLed. ln mosL cases where a web server ls noL run as a rooL admlnlsLraLlve accounL buL prlvllege escalaLlon ls posslble, Lhe boL wlll execuLe Lwo verslons of lLself, one wlLh advanced (pro) feaLures. 1hls verslon can be ldenLlfled by Lhe presence funcLlon names ln Lhe blnary's sLrlng daLa.
I|gure 8: Mu|t|p|e |nstances of a ma||c|ous b|nary (IptabLes and IptabLex) 1he maln lnlLlallzaLlon of Lhe .lpLabLes boL sLarLs wlLh an aLLempL Lo esLabllsh a connecLlon wlLh Lwo hardcoded l addresses. 1he boL Lhen sends lnformaLlon abouL Lhe memory and Cu of Lhe vlcLlm's machlne uslng a funcLlon called )(4<'=;24"4>=! 8elow ls a neLwork capLure of Lhe lnlLlal packeL senL Lo ldenLlfy Lhe lnfecLed machlne Lo an asslgned C2. 1hls slgnaLure ls unlque Lo Lhe lndlvldual hosL/C2 palr.
I|gure 9: acket capture of a b|nary commun|cat|ng to Is |n the Ch|nese botnet |nfrastructure Cnce a connecLlon ls esLabllshed, Lhe boL awalLs commands from Lhe C2. 1he commands range from baslc sysLem modlflcaLlons Lo launchlng uuoS aLLacks.
8 ALCAD LN1kLNCnMLN1 AND LkSIS1LNCL
MosL observed boLs LhaL were dropped onLo compromlsed sysLems were noL named lpLabLes aL Lhe Llme of Lhe drop. Some names conLaln a random flle name wlLh a .60& exLenslon or common flle exLenslons such as zlp or /%/. A posL-lnfecLlon lndlcaLlon ls payloads named ."#$%&'() or. "#$%&'(* locaLed ln Lhe ?&==$ dlrecLory and drops of bash scrlpL flles ln Lhe ?($8 dlrecLory. 1hese scrlpL flles run Lhe ."#$%&'() blnary on rebooL, and Lhey are symbollc llnks Lo Lhe orlglnal flle locaLed ln ?&==$?"#$%&'(). llgures 10 and 11 show flles Lyplcally assoclaLed wlLh an lnfecLlon of .lpLabLes on a sysLem.
I|gure 10: resence of b|nar|es |n an |nfected system |nd|cates |nfect|on
I|gure 11: Contents of a startup scr|pt |n the ]boot d|rectory |nd|cates ma|ware pers|stence 1he lpLabLes LLl blnarles lnclude a funcLlon LhaL lndlcaLes a self-updaLlng feaLure. 1he funcLlon named 0#<%$()/@ wlll connecL Lo a remoLe hosL and aLLempL Lo download a flle. lL sends Lhe remoLe hosL a randomly generaLed sLrlng as Lhe flle name, and Lhen Lhe remoLe hosL wlll send Lhe flle vla an esLabllshed 1C connecLlon. AfLer belng decompressed, Lhe remoLe flle replaces Lhe orlglnal flle.
ln Lhe lab envlronmenL, Lhe malware aLLempLed Lo conLacL Lwo l addresses locaLed ln Asla. 1he communlcaLlon aLLempLs Lo esLabllsh a 1C connecLlon over porL 1001 Lo Lhe ls. NL1WCkk CCDL ANALSIS 1he .lpLabLes blnarles were lnlLlally known Lo have lnfecLed vlcLlms ln Asla. Powever, more recenLly many lnfecLlons have been observed on servers hosLed ln Lhe u.S. and ln oLher reglons. 12
13
1he followlng ls a brlef analysls of Lhe command proLocol of Lhe lpLabLex LhreaL.
12 "Logging Server Compromised (IptabLes and IptabLex)." Information Security. Stack Exchange, 27 May 2014. 13 "My Droplet Has Been Compromised and Is Sending an Outgoing Flood or DDoS. What Do I Do?" DigitalOcean. N.p., 25 May 2014.
9 .IptabLes command protoco| lnlLlal research sLaLlcally reverse englneered Lhe command sLrucLure LhaL may have been used Lo communlcaLe wlLh Lhe malware. 1he malware uses a slmple command sLrucLure wlLh one byLe Lo ldenLlfy Lhe acLlon and wlLh subsequenL daLa parsed by Lhe assoclaLed funcLlons. 1he auLhors of Lhe boL used Lhe A-2& compresslon algorlLhm ln an aLLempL Lo obfuscaLe Lhe uuoS commands.
1he lpLabLes boL walLs for commands from a mallclous acLor's C2 server. 1he loglc of Lhls communlcaLlon beglns ln a Lhread funcLlon named ,B"CDEF where Lhe funcLlon /(8@() ls called. lf a buffer slze of less Lhan 261 byLes ls recelved, lL passes Lhe packeL buffer Lo Lhe ,GH(%<() funcLlon. llgure 12 shows code LhaL recelves and parses commands from command and conLrol.
I|gure 12: Code that rece|ves and parses commands from command and contro| 1he ,GH(%<9: funcLlon conLalns Lhe core funcLlonallLy LhaL parses Lhe recelvlng packeL daLa. MosL commands can be ldenLlfled by a one-byLe check and conLrol passes Lo subsequenL funcLlons LhaL operaLe on Lhe daLa from Lhe commands. 1he mallclous acLors appear Lo have aLLempLed Lo hlde Lhe uuoS commands by applylng a compresslon algorlLhm Lo Lhem (A-2& compresslon wrapper). 8elow ls a pseudo code verslon of Lhe operaLlon applled when an lncomlng uuoS command ls recelved by Lhe malware. 1ake noLe of Lhe check for a maglc value of 0xA8CuLl88 ln order Lo conLlnue processlng Lhe recelvlng packeL daLa.
short len = (short*)(buff + 4) if *(int*)buff == 0xABCDEF88 if len == buffer_len-6 (minus the header check and the packet length variable) Call MyRevise(void* buffer, size_t buf_len) I|gure 13: seudo code of the operat|on app||ed to an |ncom|ng DDoS command by the ma|ware 1he ,GH(@2)(9: funcLlon ls Lhen called and Lhe compressed payload ls passed as Lhe buffer argumenL. 1hls funcLlon decompresses and processes Lhe daLa ln Lhe buffer. 1he decompressed slze of Lhe buffer musL be exacLly 112 byLes. Cnce LhaL condlLlon ls saLlsfled, Lhe daLa ls passed Lo a funcLlon called B<<E%)I() LhaL parses Lhe decompressed daLa and calls Lhe approprlaLe unS or S?n flood Lhread. A pseudo code demonsLraLlon ls shown below.
10
if ( a1 ) { new_data = 0; new_len = 2048; if ( HbLDeCompress(a1 + 6, a2, &new_data, &new_len) || new_len != 112 ) { v2 = new_data; } else { v2 = new_data; if ( *(_BYTE *)(new_data + 8) & 1 ) { v3 = *(_DWORD *)(new_data + 0x50); v4 = *(_DWORD *)(new_data + 0x54); v5 = *(_DWORD *)(new_data + 0x58); v6 = *(_DWORD *)(new_data + 0x5C); v7 = AddTask(new_data); MySend(&v3, 20); v2 = new_data; } } free(v2); } } I|gure 14: A pseudo code demonstrat|on of the decompress|on and pars|ng of the DDoS commands Some of Lhe ldenLlfled uuoS commands are llsLed ln llgure 13.
set|oca||p: 0xC8 + l" -> 86%4;() )=0/8( "D setrandom|p: 0xCC+"l SLrlng" -> ;(4(/%$() % /%4<=J "D updatepath]updatesrv: 0x33 + new paLh" -> <=.4-=%< %4< 0#<%$( J%-.%/( (*(80$%&-( De|ete a 1ask: 0x10 +"1ask number" -> /(J=@() % $%)I 911=5 8=JJ%4<) $%)I): De|ete A|| 1asks: 0x20 -> 1(-($( %-- 80//(4$-G #(4<24; $%)I) I|gure 1S: Lxamp|e DDoS commands ca||ed by the Add1ask() funct|on 1hese uuoS commands are called by Lhe Add1ask() funcLlon, as shown ln llgure 16. 8oLh of Lhe Lhreads parse Lhe daLa passed Lo Lhem and generaLe unlque S?n and unS payloads.
11
I|gure 16: DNS and SN f|ood thread funct|ons ca||ed by the Add1ask() funct|on 1he analysls conducLed wlLhln Lhe lab envlronmenL showed LhaL Lhe blnary exhlblLs uuoS funcLlonallLy. 1wo funcLlons found lnslde Lhe blnary lndlcaLe S?n and unS flood aLLack payloads. 1hese uuoS aLLack payloads are lnlLlaLed once an aLLacker sends Lhe command Lo an lnfecLed vlcLlm machlne. ayload funcLlons are shown ln llgure 17.
I|gure 17: ay|oad funct|ons w|th|n the b|nary C8SLkVLD CAMAIGN 8elow are aLLack slgnaLures observed durlng a uuoS aLLack mlLlgaLed for one of our cusLomers. 1he maln aLLack vecLor was Lhe unS flood. More recenL campalgns have relled prlmarlly on S?n floods.
SYN Flood 10:41:03.933780 IP x.x.x.x.10535 > x.x.x.x.80: Flags [S], seq 536:1560, win 6000, length 1024 DNS Flood 15:37:30.794536 IP x.x.x.x.2679 > x.x.x.x.53: 17664+ A? xx.xx.xx. (33) I|gure 18: Attack s|gnatures for a SN f|ood and DNS f|ood used by ma||c|ous actors |n th|s attack campa|gn
12
San Iose London nong kong Wash|ngton DC Irankfurt eak blLs per second (bps) 26.40 Cbps 30.20 Cbps 17.00 Cbps 30.10 Cbps 13.30 Cbps eak packeLs per second (pps) 13.00 Mpps 9.30 Mpps 18.00 Mpps 6.73 Mpps 12.00 Mpps I|gure 19: Attack sca|e and d|str|but|on MI1IGA1ICN MlLlgaLlng Lhls uuoS LhreaL lnvolves paLchlng and hardenlng Lhe server, anLlvlrus deLecLlon and raLe llmlLlng. ln addlLlon, LxserL has creaLed a ?A8A rule and a bash command Lo deLecL and ellmlnaLe Lhls LhreaL ln Llnux servers. atches and harden|ng of the server 1o mlLlgaLe agalnsL posslble lnfecLlon from Lhls blnary lL ls necessary Lo flrsL harden Lhe exposed web plaLform and servlces by applylng paLches and updaLes from Lhe respecLlve sofLware vendors and developers: Apache SLruLs 2 uocumenLaLlon: SecurlLy 8ulleLlns 14
Apache 1omCaL vulnerablllLles and flxes 13
LlasLlcsearch mlLlgaLlon procedures 16
ln addlLlon, Lhere are also fundamenLal Llnux server hardenlng procedures provlded by SAnS lnsLlLuLe (pdf). 17
1he blnary (LLl) wlll only run on Llnux based sysLems, however aLLackers may be uslng oLher web explolLs. 1he blnary and Lhe explolLs used Lo break ln are noL co-dependenL.
14 "Security Bulletins." Security Bulletins. Apache Struts. 15 "Security 7." Apache Tomcat. The Apache Software Foundation. 16 Van Der Bijl, Bouke. "Insecure Default in Elasticsearch Enables Remote Code Execution." Bouk.co. May 2014. 17 Lori Homsher and Tim Evans, Linux Security Checklist, Security Consensus Operational Readiness Evaluation. SANS Institute.
13 Ant|v|rus detect|on Several anLlvlrus companles lncludlng McAfee have deLecLlons for Lhls uuoS payload (McAfee ldenLlfles lL as a generlc Llnux/uuosllooder), however Lhe deLecLlon raLe among anLlvlrus companles ls relaLlvely low overall for Lhls LhreaL. AL Lhe Llme of Lhls advlsory, vlrus1oLal reporLed only 23 ouL of 34 anLlvlrus englnes deLecLlng Lhls LhreaL, whlch ls an lmprovemenL from May 2014 when Lhe deLecLlon raLe was 2 ouL of 34 for Lhls blnary. kate ||m|t|ng ALLackers wlll Lyplcally LargeL a domaln wlLh Lhese aLLacks, so a LargeL web server wlll recelve Lhe S?n flood on porL 80 or oLher porL deemed crlLlcal for Lhe server's operaLlon. 1he unS flood wlll Lyplcally flood a domaln's unS server wlLh requesLs. Assumlng Lhe LargeL lnfrasLrucLure can supporL Lhe hlgh bandwldLh observed by Lhese aLLacks, raLe llmlLlng may be an opLlon.
Akamal's Cenerlc 8ouLe LncapsulaLlon (C8L) soluLlon allows rouLlng of an enLlre subneL(/24 mlnlmum) for mlLlgaLlon. 1he aLLack wlll be absorbed by Akamal's soluLlons, allowlng leglLlmaLe users Lo conLlnue Lo use Lhe slLe and lLs servlces. AkA ru|e ?A8A ls an open source Lool deslgned Lo ldenLlfy and classlfy malware LhreaLs. lL ls Lyplcally used as a hosL-based deLecLlon mechanlsm and provldes a sLrong C8L englne Lo maLch ldenLlfylng feaLures of LhreaLs aL a blnary level or more. LxserL uLlllzes ?A8A rules Lo classlfy LhreaLs LhaL perslsL across many campalgns and over Llme. llgure 20 conLalns ls a ?A8A rule provlded by LxserL Lo ldenLlfy Lhe LLl lpLabLes payload ldenLlfled ln Lhls advlsory.
condition: ($elf at 0 and all of ($st*) and 5 of ($code*) ) } I|gure 20: AkA ru|e for bot |dent|f|cat|on and c|ass|f|cat|on of I1abLes]I1abLex DDoS bots 8ash commands 1wo bash commands from LxserL are deslgned Lo clean a sysLem lnfecLed wlLh Lhe LLl lpLabLes blnary. AfLer runnlng Lhese commands, sysLem admlnlsLraLors are advlsed Lo rebooL Lhe sysLem and run a Lhorough sysLem lnspecLlon.
sudo find / -type f -name '.*ptabLe*' -exec rm -f {} ';' ps -axu | awk '/\.IptabLe/ {print $2}' | sudo xargs kill -9 I|gure 21: 8ash commands to c|ean a system |nfected w|th the LLI IptabLes b|nary CCNCLUSICN 1o prevenL furLher lnfesLaLlon and spread of Lhls boLneL lL ls necessary Lo ldenLlfy and apply correcLlve measures, such as Lhose shown ln Lhls LhreaL advlsory. Command and conLrol cenLers are currenLly locaLed ln Asla and Lhe boLneL has been used malnly Lo aLLack gamlng and gambllng verLlcals.
Mallclous acLors behlnd Lhls boLneL have produced slgnlflcanL uuoS aLLack campalgns, forclng LargeL companles Lo seek experL uuoS proLecLlon. 1hls boL seems Lo be ln an early developmenL sLage and shows several slgns of lnsLablllLy. More reflned and sLable verslons could emerge ln fuLure aLLack campalgns.
LxserL anLlclpaLes furLher lnfesLaLlon and Lhe expanslon of Lhls boLneL. luLure uuoS aLLack campalgns may LargeL oLher lndusLry verLlcals and lnvolve oLher reglons. lurLher developmenL wlll llkely be drlven by opporLunlLles for moneLlzaLlon or Lakeover of Lhe boLneL by dlfferenL groups ln Lhe uuoS-for-hlre markeL.
1he rlse ln lnfecLlon by Lhe .lpLabLes boL creaLes a rlsk for servers LhaL run poLenLlally vulnerable servlces such as Apache SLruLs and 1omcaL. Mlsconflgured LlasLlcsearch lnsLances have also been LargeLed ln Lhe aLLacks resulLlng ln Lhe wldespread abuse of Lhls new LhreaL. Akamal (rolexlc) however, offers mlLlgaLlon soluLlons for Lhese Lypes of volumeLrlc and ampllflcaLlon aLLacks LhaL are exhlblLed ln .lpLabLes boLs.
LxserL wlll conLlnue observlng Lhls boLneL and wlll produce furLher advlsorles lf warranLed.
15 CCN1kI8U1CkS: Lksert A8CU1 1nL kCLLkIC SLCUkI1 LNGINLLkING AND kLSLAkCn 1LAM (Lksert) LxserL monlLors mallclous cyber LhreaLs globally and analyzes Lhese aLLacks uslng proprleLary Lechnlques and equlpmenL. 1hrough research, dlglLal forenslcs and posL-evenL analysls, LxserL ls able Lo bulld a global vlew of securlLy LhreaLs, vulnerablllLles and Lrends, whlch ls shared wlLh cusLomers and Lhe securlLy communlLy. 8y ldenLlfylng Lhe sources and assoclaLed aLLrlbuLes of lndlvldual aLLacks, along wlLh besL pracLlces Lo ldenLlfy and mlLlgaLe securlLy LhreaLs and vulnerablllLles, LxserL helps organlzaLlons make more lnformed, proacLlve declslons. A8CU1 AkAMAI Akamal ls Lhe leadlng provlder of cloud servlces for dellverlng, opLlmlzlng and securlng onllne conLenL and buslness appllcaLlons. AL Lhe core of Lhe Company's soluLlons ls Lhe Akamal lnLelllgenL laLform`, provldlng exLenslve reach, coupled wlLh unmaLched rellablllLy, securlLy, vlslblllLy and experLlse. Akamal removes Lhe complexlLles of connecLlng Lhe lncreaslngly moblle world, supporLlng 24/7 consumer demand, and enabllng enLerprlses Lo securely leverage Lhe cloud. 1o learn more abouL how Akamal ls acceleraLlng Lhe pace of lnnovaLlon ln a hyperconnecLed world, please vlslL www.akamal.com or blogs.akamal.com, and follow [Akamal on 1wlLLer.