KUALA LUMPUR (Sept. 4, 2014) – Akamai Technologies, Inc. (NASDAQ: AKAM), the leading provider of cloud services for delivering, optimizing and securing online content and business applications, today released, through the company’s Prolexic Security Engineering & Research Team (PLXsert), a new cybersecurity threat advisory. The advisory alerts enterprises to a high-risk threat of IptabLes and IptabLex infections on Linux systems. Malicious actors may use infected Linux systems to launch distributed denial of service (DDoS) attacks against the entertainment industry and other verticals. The advisory is available for download from Prolexic (now part of Akamai) atwww.prolexic.com/iptablex.
“We have traced one of the most significant DDoS attack campaigns of 2014 to infection by IptabLes and IptabLex malware on Linux systems,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “This is a significant cybersecurity development because the Linux operating system has not typically been used in DDoS botnets. Malicious actors have taken advantage of known vulnerabilities in unpatched Linux software to launch DDoS attacks. Linux admins need to know about this threat to take action to protect their servers.”
DDoS botnet threat to Linux systems
The mass infestation of IptabLes and IptabLex seems to have been driven by a large number of Linux-based web servers being compromised, mainly by exploits of Apache Struts, Tomcat and Elasticsearch vulnerabilities. Attackers have used the Linux vulnerabilities on unmaintained servers to gain access, escalate privileges to allow remote control of the machine, and then drop malicious code into the system and run it. As a result, a system could then be controlled remotely as part of a DDoS botnet.
A post-infection indication is a payload named .IptabLes or. IptabLex located in the /boot directory. These script files run the .IptabLes binary on reboot. The malware also contains a self-updating feature that causes the infected system to contact a remote host to download a file. In the lab environment, an infected system attempted to contact two IP addresses located in Asia.
Asia apparently a significant source of DDoS attacks
Command and control centers (C2, CC) for IptabLes and IptabLex are currently located in Asia. Infected systems were initially known to be in Asia; however, more recently many infections were observed on servers hosted in the U.S. and in other regions. In the past, most DDoS bot infections originated from Russia, but now Asia appears to be a significant source of DDoS development.
Prevention, detection and DDoS mitigation
Detecting and preventing an IptabLes or IptabLex infestation on Linux systems involves patching and hardening Linux servers and antivirus detection. In the threat advisory, PLXsert provides bash commands to clean an infected system.
DDoS mitigation for the target of a DDoS attacker who controls these infected bots may include rate-limiting DDoS mitigation techniques. In addition, PLXsert shares a YARA rule in the threat advisory to identify the ELF IptabLes payload used in an observed attack campaign.
The IptabLes and IptabLex botnet has produced significant DDoS attack campaigns for which target companies have sought expert DDoS protection. Akamai offers DDoS mitigation solutions to stop DDoS attacks launched from IptabLes and IptabLex bots.
PLXsert anticipates further infestation and the expansion of this DDoS botnet.
Get the IptabLes and IptabLex DDoS Bot Threat Advisory to learn more
In the advisory, PLXsert shares its analysis and details about IptabLesandIptabLex infections, including:
- Indicators of infection
- Analysis of the binary (ELF) associated with IptabLes and IptabLex infections
- Payload initialization, entrenchment and persistence
- Network code analysis
- Case study of a DDoS attack campaign
- How to hardening Linux servers against this threat
- Antivirus detection rates
- Bash commands to clean an infected system
- YARA rule to identify an ELF IptabLes payload
- DDoS mitigation techniques
A complimentary copy of the threat advisory is available for download at www.prolexic.com/iptablex.
KUALA LUMPUR, August 15, 2014 –Akamai® Technologies, Inc. (NASDAQ: AKAM), the leading provider of cloud services for delivering, optimizing and securing online content and business applications, today announced the company has been recognized by Frost & Sullivan with its Customer Value Leadership Award for Distributed Denial of Service (DDoS) Mitigation.
According to Frost & Sullivan, “Akamai offers a valuable solution for DDoS mitigation in the form of its Kona Site Defender service. Frost & Sullivan’s independent analysis of the DDoS Mitigation market clearly shows that the Kona solution reduces restrictive requirements that customers face, such as large capital expenses, lack of security expertise, and lack of resources.
Whether as part of a DDoS mitigation strategy or a broader Web security strategy, Akamai services provide a high level of value to its customers.”
“Online businesses face a variety of security threats every day, with DDoS regularly at the top of that list,” explained Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “Being recognized for the value we provide our customers as part of their DDoS mitigation strategies is important validation of our continuing dedication to making the Internet as secure as possible for business.”
The Frost & Sullivan assessment of Akamai DDoS mitigation solutions further states that, “the Kona Site Defender service offers a number of deployment choices and flexibility that meet customer needs. Akamai’s cloud-based DDoS mitigation service is in line with normal traffic and can be deployed quickly as it does not require hardware and software deployments. Furthermore, in 2014, Akamai acquired a pure-play provider of DDoS mitigation services named Prolexic. The addition of Prolexic services to the Akamai Web security portfolio provides customers with additional usage options.”
Each year, Frost & Sullivan presents this award to the company that demonstrates excellence in implementing strategies that proactively create value for its customers with a focus on improving the return on investment (ROI) that customers make in its services or products. This award recognizes the company’s leadership in enhancing the value that its customers receive, beyond simply good customer service, leading to improved customer retention and, ultimately, customer base expansion.
Frost & Sullivan’s Best Practices Awards recognize companies in a variety of regional and global markets for outstanding achievement in areas such as leadership, technological innovation, customer service, and product development. Industry analysts compare market participants and measure performance through in-depth interviews, analysis, and extensive secondary research.
The full Frost & Sullivan assessment of Akamai’s DDoS mitigation solutions can be found here.