Web servers based on both Linux and Windows are rapidly being targeted by attackers and turned into server-side botnets capable of high-bandwidth denial-of-service attacks, two security firms stated in recently published analyses.
On one hand, attackers are targeting unpatched or poorly-maintained Linux systems, exploiting known vulnerabilities and installing bot software to conscript the computers into a server-side botnet, according to an advisory released on Sept. 4 by Prolexic, a subsidiary of content-delivery provider Akamai. Yet, Windows servers are not immune.
A recent attack against a client of Website security firm Sucuri used 2,000 servers to send a flood of packets to the victim's network. Web servers running on Windows 7 and 8 accounted for almost two-thirds of those systems, the company stated in an advisory. In the past, Sucuri had usually seen traffic from botnets created by consumer desktop and laptop systems, CEO and co-founder Tony Perez told eWEEK. "This was different because of the anatomy of the network," he said. "Normally, we see attacks coming from notebooks and desktops and PCs, but now Web servers are doing the denial-of-service." By using Web servers, "the attackers have more horse power available to them, allowing them to have more devastating effect on unsuspecting web sites," Perez said.
Server-side botnets used for denial-of-service attacks first came to light in 2012, when the Izz ad-Din al-Qassam Cyber Fighters targeted financial institutions with massive bandwidth and application-layer attacks in alleged retaliation for the posting of videos to YouTube that were offensive to some Muslims.
Rather than using botnets consisting of tens of thousands of consumer desktop systems, the attackers used hundreds to thousands of Web servers instead. While some attackers use vulnerabilities to compromise servers, others have significant success just by trying common passwords. The 2,000 servers that attacked Sucuri's client sent some 5,000 HTTP requests per second, enough to not just overwhelm the victim's Web server but the victim's hosting provider as well.
The hosting provider, which Perez declined to name, cut off the company for violating its terms of service, according to Perez. The campaign to create Linux-based DDoS botnets is more extensive, according to Prolexic.
The attackers behind the denial-of-service botnet use vulnerabilities in popular Linux software, such as Apache Tomcat, Struts and Elasticsearch, the company said. Once a server is compromised, the attackers upload malware, which creates a copy of itself named .IptabLes or .IptabLex. IPTables is a common firewall and routing package included in most versions of the Linux operating system. "The analysis conducted within the lab environment showed that the binary exhibits DDoS functionality," Prolexic stated in its alert. "Two functions found inside the binary indicate SYN and DNS flood attack payloads.
These DDoS attack payloads are initiated once an attacker sends the command to an infected victim machine." The botnet created by the campaign has been used to target financial institutions, and in one case, created a DDoS that peaked at 119 Gbps. "This bot seems to be in an early development stage and shows several signs of instability. More refined and stable versions could emerge in future attack campaigns." The attacks appear to come from Internet addresses in Asia, and two hard-coded addresses contained in the malware binary are in China, according to Prolexic.
View the original article here
A botnet that infects and exploits poorly-maintained Linux servers has been used to launch a spate of large DDoS attacks targeting DNS and other infrastructure, Akamai’s Prolexic division has warned.
Dubbed the ‘IptabLes and IptabLex botnet’ the attack target versions of Apache Struts and Tomcat, as well as some running Elasticsearch that have not been patched against a clutch of vulnerabilities.
Once compromised, the attack elevates privileges to allow remote control of the server from which the malicious code is dropped and run, after which it awaits direction by the bot’s command and control. The binary connected to two hardcoded addresses running on China Telecom, while anyone whose server has been infected will probably notice poor performance.
The bot had been used to launch a number of DDoS attacks during 2014, including a significant one that reached a peak of 119Gbps, on entertainment websites.
Corralling Linux servers for DDoS is a relatively new tactic and this particular campaign appeared to be in its early stages and prone to instability, Akamai said, urging admins to patch and harden vulnerable Linux servers as soon as possible.
"We have traced one of the most significant DDoS attack campaigns of 2014 to infection by IptabLes and IptabLex malware on Linux systems," said Akamai senior vice president and general manager, Security Business, Stuart Scholly.
"This is a significant cybersecurity development because the Linux operating system has not typically been used in DDoS botnets. Linux admins need to know about this threat to take action to protect their servers."
In Akamai-Prolexic’s view, the gang behind this malware was likely to expand their targeting of vulnerable Linux servers, as well as broadening the list of targets.
Detection and remediation? Antivirus doesn’t appear to be a reliable option – only two out of 52 engines picked it up as of May 2014 when the firm started monitoring the threat and by September that had only risen to 23 out of 54. Victims will, of course, notice IptabLes or. IptabLex running.
Prolexic has published a method involving a pair of bash commands and a reboot, so getting rid of this isn’t hard. As for mitigation, the firm recommend rate limiting and has added a rule to the YARA open source tool for good measure.
The most important message is still the need to patch. Don’t leave Linux to rot.
View the original article here
