Iptables/iptablex Ddos Bots

During Q2 2014, Akamai’s Prolexic Security Engineering and Research Team (PLXsert) detected and measured distributed denial of service (DDoS) campaigns driven by the execution of a binary that produces significant payloads by executing Domain Name System (DNS) and SYN flood attacks.
View more...
   EMBED

Share

Preview only show first 6 pages with water mark for full document please download

Transcript

1 Risk Factor - High IptabLes]IptabLex DDoS 8ots 1LÞ - GkLLN GSI ID: 1077 CVLkVILW uurlng C2 2014, Akamal's Þrolexlc SecurlLy Lnglneerlng and 8esearch 1eam (ÞLxserL) deLecLed and measured dlsLrlbuLed denlal of servlce (uuoS) campalgns drlven by Lhe execuLlon of a blnary LhaL produces slgnlflcanL payloads by execuLlng uomaln name SysLem (unS) and S?n flood aLLacks. Cne campalgn peaked aL 119 Cbps bandwldLh and 110 Mpps ln volume. lL appears Lo orlglnaLe from Asla. Cbserved lncldenLs ln Asla and now oLher parLs of Lhe world suggesL Lhe blnary connecLs back Lo Lwo hardcoded lÞ addresses ln Chlna. 1 1he mass lnfesLaLlon seems Lo be drlven by a large number of Llnux- based web servers belng compromlsed, malnly by explolLs of Apache SLruLs, 1omcaL, and LlasLlcsearch vulnerablllLles. INDICA1CkS CI IÞ1A8LLS]IÞ1A8LLk INILC1ICN 1he prlnclpal lndlcaLor of Lhls lnfecLlon ls Lhe presence of a Llnux LLl blnary LhaL creaLes a copy of lLself and names lL !"#$%&'() or !"#$%&'(*! 1he leadlng perlod ls lnLenLlonal and ls lnLended Lo help hlde Lhe flle. 1hls blnary ls crafLed Lo lnfecL popular Llnux dlsLrlbuLlons such as ueblan, ubunLu, CenLCS and 8ed PaL. 8eporLs of Lhe lnfecLlon are shown ln llgures 1, 2 and 3. 1 "MMu-0023-2014 - l1W lnfecLlon of LLl .lpLabLex & .lpLabLes Chlna #uuoS 8oLs Malware." ,%-.%/( ,0)$ 12(3, 13 !une 2014. 2 I|gure 1: ked nat pub||c|y reported the comprom|se to |ts customers I|gure 2: A v|ct|m of IptabLes |nfect|on posted reports of the hacks on a pub||c forum 3 I|gure 3: A trans|ated report of IÞtabLex ] IptabLes 1he lnfecLlons occur malnly ln Llnux servers wlLh vulnerable Apache 1omcaL, SLruLs, or LlasLlcsearch sofLware. 1he blnary ls dlsLlncL from Lhe explolLs used Lo conLrol Lhe server. ALLackers are breaklng lnLo Lhe servers uslng a known explolL 2 3 , escalaLlng prlvlleges, dropplng Lhe blnary lnLo Lhe compromlsed server, and execuLlng lL. noL all vulnerablllLles lead Lo Lhe enLlre compromlse of a server. ln order Lo escalaLe prlvlleges, aLLackers musL be able Lo execuLe code on a LargeLed server. 1hls ls ofLen accompllshed vla remoLe code execuLlon explolLs or escalaLlon Lhrough a serles of explolLs, such as Lhe followlng: • Apache SLruLs ClassLoader ManlpulaLlon 8emoLe Code LxecuLlon 4 • Apache SLruLs ueveloper Mode CCnL LxecuLlon 3 2 "Apache » Tomcat : Security Vulnerabilities." Apache Tomcat : List of Security Vulnerabilities. MITRE Corporation 3 "Apache » Struts : Security Vulnerabilities." Apache Struts : List of Security Vulnerabilities. MITRE Corporation 4 Metasploit. "Apache Struts ClassLoader Manipulation Remote Code Execution." Exploit DB. Offensive Security, 5 Feb 2014. 5 Metasploit. "Apache Struts Developer Mode OGNL Execution." Exploit DB. Offensive Security, 05 Feb. 2014. 4 • Apache 8oller CCnL ln[ecLlon 6 • Apache SLruLs 2 uefaulLAcLlonMapper Þreflxes CCnL Code LxecuLlon 7 • Apache SLruLs lncludeÞarams 8emoLe Code LxecuLlon 8 • Apache SLruLs ÞarameLerslnLercepLor 8emoLe Code LxecuLlon 9 • Apache 1omcaL Manager - AppllcaLlon upload AuLhenLlcaLed Code LxecuLlon 10 • Apache 1omcaL/!8oss L!8lnvokerServleL / !MxlnvokerServleL (8Ml over P11Þ) Marshalled Cb[ecL 8CL 11 1here are reporLs of oLher appllcaLlons belng explolLed, ln addlLlon Lo Lhe ones menLloned, however Apache SLruLs and 1omcaL seem Lo be Lhe prlnclpal aLLack vecLor of enLry. AfLer Lhe lnlLlal compromlse and prlvllege escalaLlons, aLLackers wlll proceed Lo drop and execuLe Lhe blnary. uownloader blnarles or scrlpLs may be used Lo spread and lnfecL compromlsed machlnes wlLh Lhe .lpLabLes boL. IÞ1A8LLS LLI 8C1 ANAL¥SIS ÞLxserL has analyzed Lhe blnary assoclaLed wlLh .lpLabLes lnfecLlons. 1he lpLabLes blnary wlll only funcLlon properly under rooL prlvlleges. ln some cases, Lhe boL wlll run Lwo verslons of lLself: one wlLh advanced feaLures and one wlLh sLandard capablllLles of Lhe orlglnal payload. 1he boL wlll seL up perslsLence, propagaLe, and make remoLe connecLlons back Lo lLs asslgned Command-and-ConLrol server (C2). Along wlLh Lhe lnfllLraLlon of vulnerable web servers, Lhe lpLabLes boL ls belng used wlLh LoolklL componenLs such as downloader agenLs. ln such cases, Lhe downloader downloads and execuLes Lhe conLenLs of remoLe flles. llgure 4 shows Lhe downloader reLrlevlng a remoLe flle named /04!$*$. 6 Metasploit. "Apache Roller OGNL Injection." Apache Roller OGNL Injection. Exploit DB, Offensive Security, 27 Nov. 2013. 7 Metasploit. "Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution." Exploit DB. Offensive Security, 27 Jul 2013 8 Metasploit. "Apache Struts IncludeParams Remote Code Execution." Exploit DB. Offensive Security, 5 June 2013. 9 Metasploit. "Apache Struts ParametersInterceptor Remote Code Execution." Exploit DB. Offensive Security, 22 Mar. 2013. 10 Metasploit. "Apache Tomcat Manager - Application Upload Authenticated Code Execution." Exploit DB. Offensive Security, 5 Feb. 2014. 11 Rgod. "Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object RCE." Exploit DB. Offensive Security, 4 Oct. 2013. 5 I|gure 4: Code sn|ppet of a down|oader down|oad|ng a remote !"#$%&% f||e 1he /04!$*$ flle, shown ln llgure 3, conLalns a plpe-dellmlLed seL of sLrlngs LhaL deflne Lhe execuLable name of Lhe boL payload. ln Lhls case lL wlll execuLe Lhe downloaded payloads as .lpLabLes or .lpLabLex. I|gure S: 1he contents of the run.txt f||e 1he remoLe execuLable Lo download and run ls Lhen called by an addlLlonal user-deflned funcLlon named 56(--7(*(89:. llgure 6 shows a snlppeL of Lhe downloader preparlng a u8L and Lhen execuLlng Lhe downloaded flle called ;($)($0#!/%/. I|gure 6: 1h|s code sn|ppet down|oads a remote, renamed IptabLes pay|oad 6 ÞA¥LCAD INI1IALI2A1ICN When Lhe lpLabLes boL ls run, lL wlll flrsL ensure LhaL lL lsn'L already runnlng, and lf lL ls, lL wlll run a cleanup scrlpL locaLed ln memory Lo clean Lhe sysLem of prlor lnfecLlon(s). 1he orlglnal payload wlll be removed from Lhe sysLem and Lhe only arLlfacLs remalnlng wlll be Lhe renamed .lpLabLes boLs and Lhelr sLarLup scrlpLs. llgure 7 shows a cleanup scrlpL. delallfile '#!/bin/sh',0Ah 'if [ -z $1 ] ; then',0Ah 'ps -f -C .IptabLes |grep .IptabLes | awk ',27h,'{print $3}',27h,' | xar' 'gs $0 2',0Ah 'ps -f -C .IptabLes |grep .IptabLes | awk ',27h,'{print $3}',27h,' | xar' 'gs $0 2',0Ah 'ps -f -C .IptabLes |grep .IptabLes | awk ',27h,'{print $2}',27h,' | xar' 'gs $0 2',0Ah 'ps -f -C .IptabLes |grep .IptabLes | awk ',27h,'{print $2}',27h,' | xar' 'gs $0 2',0Ah 'ps -axu | grep .IptabLes | awk ',27h,'{print $2}',27h,' |xargs kill -9',0Ah 'ps -axu | grep .IptabLes | awk ',27h,'{print $2}',27h,' |xargs kill -9',0Ah 'ps -C .IptabLes | xargs kill -9',0Ah 'ps -C .IptabLes | grep .IptabLes |xargs kill -9',0Ah 'find / -name *ptabLes | xargs rm -f',0Ah 'find / -name .IptabLes | xargs rm -f',0Ah 'find / -name *ptabLes | xargs rm -f',0Ah 'find / -name .IptabLes | xargs rm -f',0Ah 'rm -f /boot/.stabip',0Ah 'rm -f /boot/.IptabLes',0Ah 'rm -f /etc/rc.d/init.d/IptabLes',0Ah 'rm -f /boot/IptabLes',0Ah 'rm -f /tmp/IptabLes',0Ah 'rm -f /usr/IptabLes',0Ah 'rm -f /usr/.IptabLes',0Ah 'rm -f /etc/rc.d/rc4.d/*IptabLes',0Ah 'rm -f /etc/rc.d/rc1.d/*IptabLes',0Ah 'rm -f /etc/rc.d/rc2.d/*IptabLes',0Ah 'rm -f /etc/rc.d/rc3.d/*IptabLes',0Ah 'rm -f /etc/rc.d/rc0.d/*IptabLes',0Ah 'rm -f /etc/rc.d/rc5.d/*IptabLes',0Ah 'rm -f /etc/rc.d/rc6.d/*IptabLes',0Ah 'rm -f /etc/init.d/IptabLes',0Ah 'rm -f /etc/rc4.d/*IptabLes',0Ah 'rm -f /etc/rc1.d/*IptabLes',0Ah 'rm -f /etc/rc2.d/*IptabLes',0Ah 'rm -f /etc/rc3.d/*IptabLes',0Ah 'rm -f /etc/rc0.d/*IptabLes',0Ah 'rm -f /etc/rc5.d/*IptabLes',0Ah 'rm -f /etc/rc6.d/*IptabLes',0Ah 'rm -rf "$0"',0Ah 'else',0Ah 'if [ -z $2 ] ; then',0Ah 9,'exit',0Ah 9,'else',0Ah 9,'if [ 1 -ne $2 ] ; then',0Ah 9,9,'kill -9 $2',0Ah 7 9,9,'fi',0Ah 9,9,'fi',0Ah 9,9,'fi',0Ah 'exit',0Ah,0 I|gure 7: C|eanup up scr|pt executed by the b|nary to prevent mu|t|p|e |nfect|on llgure 8 shows a scenarlo where mulLlple verslons of Lhe boL are execuLed. ln mosL cases where a web server ls noL run as a rooL admlnlsLraLlve accounL buL prlvllege escalaLlon ls posslble, Lhe boL wlll execuLe Lwo verslons of lLself, one wlLh advanced (pro) feaLures. 1hls verslon can be ldenLlfled by Lhe presence funcLlon names ln Lhe blnary's sLrlng daLa. I|gure 8: Mu|t|p|e |nstances of a ma||c|ous b|nary (IptabLes and IptabLex) 1he maln lnlLlallzaLlon of Lhe .lpLabLes boL sLarLs wlLh an aLLempL Lo esLabllsh a connecLlon wlLh Lwo hardcoded lÞ addresses. 1he boL Lhen sends lnformaLlon abouL Lhe memory and CÞu of Lhe vlcLlm's machlne uslng a funcLlon called )(4<'=;24"4>=! 8elow ls a neLwork capLure of Lhe lnlLlal packeL senL Lo ldenLlfy Lhe lnfecLed machlne Lo an asslgned C2. 1hls slgnaLure ls unlque Lo Lhe lndlvldual hosL/C2 palr. I|gure 9: Þacket capture of a b|nary commun|cat|ng to IÞs |n the Ch|nese botnet |nfrastructure Cnce a connecLlon ls esLabllshed, Lhe boL awalLs commands from Lhe C2. 1he commands range from baslc sysLem modlflcaLlons Lo launchlng uuoS aLLacks. 8 ÞA¥LCAD LN1kLNCnMLN1 AND ÞLkSIS1LNCL MosL observed boLs LhaL were dropped onLo compromlsed sysLems were noL named lpLabLes aL Lhe Llme of Lhe drop. Some names conLaln a random flle name wlLh a .60& exLenslon or common flle exLenslons such as zlp or /%/. A posL-lnfecLlon lndlcaLlon ls payloads named ."#$%&'() or. "#$%&'(* locaLed ln Lhe ?&==$ dlrecLory and drops of bash scrlpL flles ln Lhe ?($8 dlrecLory. 1hese scrlpL flles run Lhe ."#$%&'() blnary on rebooL, and Lhey are symbollc llnks Lo Lhe orlglnal flle locaLed ln ?&==$?"#$%&'(). llgures 10 and 11 show flles Lyplcally assoclaLed wlLh an lnfecLlon of .lpLabLes on a sysLem. I|gure 10: Þresence of b|nar|es |n an |nfected system |nd|cates |nfect|on I|gure 11: Contents of a startup scr|pt |n the ]boot d|rectory |nd|cates ma|ware pers|stence 1he lpLabLes LLl blnarles lnclude a funcLlon LhaL lndlcaLes a self-updaLlng feaLure. 1he funcLlon named 0#<%$()/@ wlll connecL Lo a remoLe hosL and aLLempL Lo download a flle. lL sends Lhe remoLe hosL a randomly generaLed sLrlng as Lhe flle name, and Lhen Lhe remoLe hosL wlll send Lhe flle vla an esLabllshed 1CÞ connecLlon. AfLer belng decompressed, Lhe remoLe flle replaces Lhe orlglnal flle. ln Lhe lab envlronmenL, Lhe malware aLLempLed Lo conLacL Lwo lÞ addresses locaLed ln Asla. 1he communlcaLlon aLLempLs Lo esLabllsh a 1CÞ connecLlon over porL 1001 Lo Lhe lÞs. NL1WCkk CCDL ANAL¥SIS 1he .lpLabLes blnarles were lnlLlally known Lo have lnfecLed vlcLlms ln Asla. Powever, more recenLly many lnfecLlons have been observed on servers hosLed ln Lhe u.S. and ln oLher reglons. 12 13 1he followlng ls a brlef analysls of Lhe command proLocol of Lhe lpLabLex LhreaL. 12 "Logging Server Compromised (IptabLes and IptabLex)." Information Security. Stack Exchange, 27 May 2014. 13 "My Droplet Has Been Compromised and Is Sending an Outgoing Flood or DDoS. What Do I Do?" DigitalOcean. N.p., 25 May 2014. 9 .IptabLes command protoco| lnlLlal research sLaLlcally reverse englneered Lhe command sLrucLure LhaL may have been used Lo communlcaLe wlLh Lhe malware. 1he malware uses a slmple command sLrucLure wlLh one byLe Lo ldenLlfy Lhe acLlon and wlLh subsequenL daLa parsed by Lhe assoclaLed funcLlons. 1he auLhors of Lhe boL used Lhe A-2& compresslon algorlLhm ln an aLLempL Lo obfuscaLe Lhe uuoS commands. 1he lpLabLes boL walLs for commands from a mallclous acLor's C2 server. 1he loglc of Lhls communlcaLlon beglns ln a Lhread funcLlon named ,B"CDEF where Lhe funcLlon /(8@() ls called. lf a buffer slze of less Lhan 261 byLes ls recelved, lL passes Lhe packeL buffer Lo Lhe ,GH(%<() funcLlon. llgure 12 shows code LhaL recelves and parses commands from command and conLrol. I|gure 12: Code that rece|ves and parses commands from command and contro| 1he ,GH(%<9: funcLlon conLalns Lhe core funcLlonallLy LhaL parses Lhe recelvlng packeL daLa. MosL commands can be ldenLlfled by a one-byLe check and conLrol passes Lo subsequenL funcLlons LhaL operaLe on Lhe daLa from Lhe commands. 1he mallclous acLors appear Lo have aLLempLed Lo hlde Lhe uuoS commands by applylng a compresslon algorlLhm Lo Lhem (A-2& compresslon wrapper). 8elow ls a pseudo code verslon of Lhe operaLlon applled when an lncomlng uuoS command ls recelved by Lhe malware. 1ake noLe of Lhe check for a maglc value of 0xA8CuLl88 ln order Lo conLlnue processlng Lhe recelvlng packeL daLa. short len = (short*)(buff + 4) if *(int*)buff == 0xABCDEF88 if len == buffer_len-6 (minus the header check and the packet length variable) Call MyRevise(void* buffer, size_t buf_len) I|gure 13: Þseudo code of the operat|on app||ed to an |ncom|ng DDoS command by the ma|ware 1he ,GH(@2)(9: funcLlon ls Lhen called and Lhe compressed payload ls passed as Lhe buffer argumenL. 1hls funcLlon decompresses and processes Lhe daLa ln Lhe buffer. 1he decompressed slze of Lhe buffer musL be exacLly 112 byLes. Cnce LhaL condlLlon ls saLlsfled, Lhe daLa ls passed Lo a funcLlon called B< 86%4;() )=0/8( "D setrandom|p: 0xCC+"lÞ SLrlng" -> ;(4(/%$() % /%4<=J "D updatepath]updatesrv: 0x33 + ºnew paLh" -> <=.4-=%< %4< 0#<%$( J%-.%/( (*(80$%&-( De|ete a 1ask: 0x10 +"1ask number" -> /(J=@() % $%)I 911=5 8=JJ%4<) $%)I): De|ete A|| 1asks: 0x20 -> 1(-($( %-- 80//(4$-G #(4<24; $%)I) I|gure 1S: Lxamp|e DDoS commands ca||ed by the Add1ask() funct|on 1hese uuoS commands are called by Lhe Add1ask() funcLlon, as shown ln llgure 16. 8oLh of Lhe Lhreads parse Lhe daLa passed Lo Lhem and generaLe unlque S?n and unS payloads. 11 I|gure 16: DNS and S¥N f|ood thread funct|ons ca||ed by the Add1ask() funct|on 1he analysls conducLed wlLhln Lhe lab envlronmenL showed LhaL Lhe blnary exhlblLs uuoS funcLlonallLy. 1wo funcLlons found lnslde Lhe blnary lndlcaLe S?n and unS flood aLLack payloads. 1hese uuoS aLLack payloads are lnlLlaLed once an aLLacker sends Lhe command Lo an lnfecLed vlcLlm machlne. Þayload funcLlons are shown ln llgure 17. I|gure 17: Þay|oad funct|ons w|th|n the b|nary C8SLkVLD CAMÞAIGN 8elow are aLLack slgnaLures observed durlng a uuoS aLLack mlLlgaLed for one of our cusLomers. 1he maln aLLack vecLor was Lhe unS flood. More recenL campalgns have relled prlmarlly on S?n floods. SYN Flood 10:41:03.933780 IP x.x.x.x.10535 > x.x.x.x.80: Flags [S], seq 536:1560, win 6000, length 1024 DNS Flood 15:37:30.794536 IP x.x.x.x.2679 > x.x.x.x.53: 17664+ A? xx.xx.xx. (33) I|gure 18: Attack s|gnatures for a S¥N f|ood and DNS f|ood used by ma||c|ous actors |n th|s attack campa|gn 12 San Iose London nong kong Wash|ngton DC Irankfurt Þeak blLs per second (bps) 26.40 Cbps 30.20 Cbps 17.00 Cbps 30.10 Cbps 13.30 Cbps Þeak packeLs per second (pps) 13.00 Mpps 9.30 Mpps 18.00 Mpps 6.73 Mpps 12.00 Mpps I|gure 19: Attack sca|e and d|str|but|on MI1IGA1ICN MlLlgaLlng Lhls uuoS LhreaL lnvolves paLchlng and hardenlng Lhe server, anLlvlrus deLecLlon and raLe llmlLlng. ln addlLlon, ÞLxserL has creaLed a ?A8A rule and a bash command Lo deLecL and ellmlnaLe Lhls LhreaL ln Llnux servers. Þatches and harden|ng of the server 1o mlLlgaLe agalnsL posslble lnfecLlon from Lhls blnary lL ls necessary Lo flrsL harden Lhe exposed web plaLform and servlces by applylng paLches and updaLes from Lhe respecLlve sofLware vendors and developers: • Apache SLruLs 2 uocumenLaLlon: SecurlLy 8ulleLlns 14 • Apache 1omCaL vulnerablllLles and flxes 13 • LlasLlcsearch mlLlgaLlon procedures 16 ln addlLlon, Lhere are also fundamenLal Llnux server hardenlng procedures provlded by SAnS lnsLlLuLe (pdf). 17 1he blnary (LLl) wlll only run on Llnux based sysLems, however aLLackers may be uslng oLher web explolLs. 1he blnary and Lhe explolLs used Lo break ln are noL co-dependenL. 14 "Security Bulletins." Security Bulletins. Apache Struts. 15 "Security 7." Apache Tomcat. The Apache Software Foundation. 16 Van Der Bijl, Bouke. "Insecure Default in Elasticsearch Enables Remote Code Execution." Bouk.co. May 2014. 17 Lori Homsher and Tim Evans, Linux Security Checklist, Security Consensus Operational Readiness Evaluation. SANS Institute. 13 Ant|v|rus detect|on Several anLlvlrus companles lncludlng McAfee have deLecLlons for Lhls uuoS payload (McAfee ldenLlfles lL as a generlc Llnux/uuosllooder), however Lhe deLecLlon raLe among anLlvlrus companles ls relaLlvely low overall for Lhls LhreaL. AL Lhe Llme of Lhls advlsory, vlrus1oLal reporLed only 23 ouL of 34 anLlvlrus englnes deLecLlng Lhls LhreaL, whlch ls an lmprovemenL from May 2014 when Lhe deLecLlon raLe was 2 ouL of 34 for Lhls blnary. kate ||m|t|ng ALLackers wlll Lyplcally LargeL a domaln wlLh Lhese aLLacks, so a LargeL web server wlll recelve Lhe S?n flood on porL 80 or oLher porL deemed crlLlcal for Lhe server's operaLlon. 1he unS flood wlll Lyplcally flood a domaln's unS server wlLh requesLs. Assumlng Lhe LargeL lnfrasLrucLure can supporL Lhe hlgh bandwldLh observed by Lhese aLLacks, raLe llmlLlng may be an opLlon. Akamal's Cenerlc 8ouLe LncapsulaLlon (C8L) soluLlon allows rouLlng of an enLlre subneL(/24 mlnlmum) for mlLlgaLlon. 1he aLLack wlll be absorbed by Akamal's soluLlons, allowlng leglLlmaLe users Lo conLlnue Lo use Lhe slLe and lLs servlces. ¥AkA ru|e ?A8A ls an open source Lool deslgned Lo ldenLlfy and classlfy malware LhreaLs. lL ls Lyplcally used as a hosL-based deLecLlon mechanlsm and provldes a sLrong ÞC8L englne Lo maLch ldenLlfylng feaLures of LhreaLs aL a blnary level or more. ÞLxserL uLlllzes ?A8A rules Lo classlfy LhreaLs LhaL perslsL across many campalgns and over Llme. llgure 20 conLalns ls a ?A8A rule provlded by ÞLxserL Lo ldenLlfy Lhe LLl lpLabLes payload ldenLlfled ln Lhls advlsory. rule IptablesELF { meta: author = "PLXSert" description = "Rule to detect ELF IpTable DDoS executable" strings: $elf = {7f 45 4c 46} $st0 = "SynFloodSendThread" $st1 = "DnsFloodSendThread" $st2 = "SynFloodBuildThread" $st3 = "DnsFloodBuildThread" $st4 = "MAINPTH" $code1 = "list.c" $code2 = "main.c" $code3 = "mypth.c" 14 $code4 = "Service.c" $code5 = "srvnet.c" $code6 = "ckbuf" $code7 = "udptest.c" condition: ($elf at 0 and all of ($st*) and 5 of ($code*) ) } I|gure 20: ¥AkA ru|e for bot |dent|f|cat|on and c|ass|f|cat|on of IÞ1abLes]IÞ1abLex DDoS bots 8ash commands 1wo bash commands from ÞLxserL are deslgned Lo clean a sysLem lnfecLed wlLh Lhe LLl lpLabLes blnary. AfLer runnlng Lhese commands, sysLem admlnlsLraLors are advlsed Lo rebooL Lhe sysLem and run a Lhorough sysLem lnspecLlon. sudo find / -type f -name '.*ptabLe*' -exec rm -f {} ';' ps -axu | awk '/\.IptabLe/ {print $2}' | sudo xargs kill -9 I|gure 21: 8ash commands to c|ean a system |nfected w|th the LLI IptabLes b|nary CCNCLUSICN 1o prevenL furLher lnfesLaLlon and spread of Lhls boLneL lL ls necessary Lo ldenLlfy and apply correcLlve measures, such as Lhose shown ln Lhls LhreaL advlsory. Command and conLrol cenLers are currenLly locaLed ln Asla and Lhe boLneL has been used malnly Lo aLLack gamlng and gambllng verLlcals. Mallclous acLors behlnd Lhls boLneL have produced slgnlflcanL uuoS aLLack campalgns, forclng LargeL companles Lo seek experL uuoS proLecLlon. 1hls boL seems Lo be ln an early developmenL sLage and shows several slgns of lnsLablllLy. More reflned and sLable verslons could emerge ln fuLure aLLack campalgns. ÞLxserL anLlclpaLes furLher lnfesLaLlon and Lhe expanslon of Lhls boLneL. luLure uuoS aLLack campalgns may LargeL oLher lndusLry verLlcals and lnvolve oLher reglons. lurLher developmenL wlll llkely be drlven by opporLunlLles for moneLlzaLlon or Lakeover of Lhe boLneL by dlfferenL groups ln Lhe uuoS-for-hlre markeL. 1he rlse ln lnfecLlon by Lhe .lpLabLes boL creaLes a rlsk for servers LhaL run poLenLlally vulnerable servlces such as Apache SLruLs and 1omcaL. Mlsconflgured LlasLlcsearch lnsLances have also been LargeLed ln Lhe aLLacks resulLlng ln Lhe wldespread abuse of Lhls new LhreaL. Akamal (Þrolexlc) however, offers mlLlgaLlon soluLlons for Lhese Lypes of volumeLrlc and ampllflcaLlon aLLacks LhaL are exhlblLed ln .lpLabLes boLs. ÞLxserL wlll conLlnue observlng Lhls boLneL and wlll produce furLher advlsorles lf warranLed. 15 CCN1kI8U1CkS: ÞLksert A8CU1 1nL ÞkCLLkIC SLCUkI1¥ LNGINLLkING AND kLSLAkCn 1LAM (ÞLksert) ÞLxserL monlLors mallclous cyber LhreaLs globally and analyzes Lhese aLLacks uslng proprleLary Lechnlques and equlpmenL. 1hrough research, dlglLal forenslcs and posL-evenL analysls, ÞLxserL ls able Lo bulld a global vlew of securlLy LhreaLs, vulnerablllLles and Lrends, whlch ls shared wlLh cusLomers and Lhe securlLy communlLy. 8y ldenLlfylng Lhe sources and assoclaLed aLLrlbuLes of lndlvldual aLLacks, along wlLh besL pracLlces Lo ldenLlfy and mlLlgaLe securlLy LhreaLs and vulnerablllLles, ÞLxserL helps organlzaLlons make more lnformed, proacLlve declslons. A8CU1 AkAMAI Akamalº ls Lhe leadlng provlder of cloud servlces for dellverlng, opLlmlzlng and securlng onllne conLenL and buslness appllcaLlons. AL Lhe core of Lhe Company's soluLlons ls Lhe Akamal lnLelllgenL ÞlaLform`, provldlng exLenslve reach, coupled wlLh unmaLched rellablllLy, securlLy, vlslblllLy and experLlse. Akamal removes Lhe complexlLles of connecLlng Lhe lncreaslngly moblle world, supporLlng 24/7 consumer demand, and enabllng enLerprlses Lo securely leverage Lhe cloud. 1o learn more abouL how Akamal ls acceleraLlng Lhe pace of lnnovaLlon ln a hyperconnecLed world, please vlslL www.akamal.com or blogs.akamal.com, and follow [Akamal on 1wlLLer.