XOR DDoS Malware | Cloud Security Threat Advisory | Slideshow - PowerPoint PPT Presentation

About This Presentation
Title:

XOR DDoS Malware | Cloud Security Threat Advisory | Slideshow

Description:

Recently the Akamai Security Intelligence Response Team (SIRT) released its analysis of the XOR DDoS threat, Trojan malware used to infect and hijack Linux-based systems. Attacks from the XOR DDoS botnet have ranged from low, single-digit Gbps attacks to 150+ Gbps. Watch this brief show for the fast facts, and then get detection and mitigation recommendations from the full XOR DDoS Threat Advisory at www.stateoftheinternet.com/xorddos. – PowerPoint PPT presentation

Number of Views:40
Slides: 13
Provided by: AkamaiAkamai
Category: Other

less

Transcript and Presenter's Notes

Title: XOR DDoS Malware | Cloud Security Threat Advisory | Slideshow


1
XOR DDoS Threat Advisory
2
What is the XOR DDoS threat
  • The XOR DDoS botnet has produced DDoS attacks
    from a few Gbps to 150 Gbps
  • The gaming sector has been the primary target,
    followed by educational institutions
  • The botnet has attacked up to 20 targets per day,
    90 of which were in Asia
  • XOR DDoS is an example of attackers building
    botnets of Linux systems instead of Windows-based
    machines
  • The malware spreads via Secure Shell (SSH)
    services susceptible to brute-force attacks due
    to weak passwords

2 / The State of the Internet / Security Threat
Advisory
3
Binary infection indicators
  • Execution requires root privileges
  • The malware creates two copies of itself
  • One copy in the /boot directory with a filename
    composed of 10 random alpha characters
  • One copy in /lib/udev with the filename udev.

root_at_ubuntu/boot ls -la egrep -i
a-z10 -rwxr-x--- 1 root root 619760 Aug 12
0756 snvnszjeez root_at_ubuntu/boot ls -la
/lib/udev/udev -r-------- 1 root root 619760 Aug
12 0756 /lib/udev/udev
3 / The State of the Internet / Security Threat
Advisory
4
Binary infection indicators
  • Listing the open files with lsof shows the
    process that use the malware

root_at_ubuntu/boot lsof grep snvnszjee
snvnszjee 5671 root cwd DIR 8,1 4096 918696
/home/user/Desktop snvnszjee 5671 root rtd DIR
8,1 4096 2 / snvnszjee 5671 root txt REG 8,1
619760 802459 /boot/snvnszjeez snvnszjee 5671
root 0u CHR 1,3 0t0 5626 /dev/null snvnszjee
5671 root 1u CHR 1,3 0t0 5626 /dev/null
snvnszjee 5671 root 2u CHR 1,3 0t0 5626
/dev/null snvnszjee 5671 root 3u sock 0,7 0t0
446764 cant identify protocol
4 / The State of the Internet / Security Threat
Advisory
5
Toolkit analysis
  • Communications between the C2 and bot occur over
    TCP port 3502
  • The bot registers itself with the C2 using this
    payload

171216.984371 IP x.x.x.x.49316 gt y.y.y.y.3502
Flags P., seq 29301, ack 1, win 29200, length
272 0x0000 4500 0138 4a85 4000 4006 8cbf c0a8
ac9e E..8J._at_._at_....... 0x0010 xxxx xxxx c0a4
0dae 148c 0d91 8b7e 29a8 .............).
0x0020 5018 7210 bca1 0000 ab41 3246 4133 3641
P.r......A2FA36A 0x0030 bebe c6ca 071f 7703
6c72 1f75 731e 5124 ......w.lr.us.Q 0x0040
2f24 4b5c 5731 4630 4242 3246 4133 3641
/K\W1F0BB2FA36A 0x0050 4141 3935 3431 4630
4242 3246 4133 3641 AA9541F0BB2FA36A 0x0060
4141 3935 3431 4630 4242 3246 4133 3641
AA9541F0BB2FA36A 0x0070 4141 3935 3458 7008
7442 3246 4133 3641 AA954Xp.tB2FA36A 0x0080
4141 3935 3431 4630 4242 3246 4133 3641
AA9541F0BB2FA36A 0x0090 4141 3935 3431 4630
4242 3246 4133 3641 AA9541F0BB2FA36A 0x00a0
4141 3935 3431 4630 4242 3246 4133 3641
AA9541F0BB2FA36A 0x00b0 4141 3935 3431 771a
7070 0b72 4133 3641 AA9541w.pp.rA36A 0x00c0
4141 3935 3431 4630 4242 3246 4133 3641
AA9541F0BB2FA36A 0x00d0 4141 3935 3431 4630
4242 3246 4133 3641 AA9541F0BB2FA36A 0x00e0
4141 3935 3431 4630 4242 3246 4133 3641
AA9541F0BB2FA36A 0x00f0 4141 3935 3431 4659
2028 5a3c 235f 4c30 AA9541FY.(Zlt_L0 0x0100
2428 4c5b 4452 2453 272a 5e34 2f46 4e26
(LDRS4/FN 0x0110 282b 5846 4055 2530
1116 7312 0870 3641 (XF_at_U0..s..p6A 0x0120
4141 3935 3431 4630 736c 0368 7433 3641
AA9541F0sl.ht36A 0x0130 4141 3935 3431 4630
AA9541F0
5 / The State of the Internet / Security Threat
Advisory
6
Toolkit analysis
  • The decrypted payload consists of the following
  • Target IP address (4 bytes)
  • Target port (2 bytes)
  • Payload data
  • DDoS flood SYN (05) or DNS (04)
  • If the command is for a DNS flood, the DNS query
    will be placed after the target port
  • Size of the payload for the attack

6 / The State of the Internet / Security Threat
Advisory
7
DDoS attack payloads
  • Sample payload of the SYN flood attack traffic
    captured in a controlled lab environment

174933.969933 IP 172.16.108.137.49020 gt
X.X.X.X.80 Flags S, seq 32126313783212632377,
win 65535, options mss 1460,nop,nop,sackOK,
length 999 0x0000 4500 0417 bf7c 0000 8006 da46
ac10 6c89 E.........F..l. 0x0010 XXXX XXXX
bf7c 1f90 bf7c dd52 0000 0000 .........R....
0x0020 7002 ffff 663e 0000 0204 05b4 0101 0402
p...fgt.......... ... 0x00 filled ... 0x0400
0000 0000 0000 0000 0000 0000 0000 0000
................ 0x0410 0000 0000 0000 00
.......
7 / The State of the Internet / Security Threat
Advisory
8
DDoS attack payloads
  • Sample payload of DNS flood attack

121448.274303 IP 172.16.108.137.18981 gt
X.X.X.X.53 UDP, length 40 0x0000 4500 0044
4a25 0000 8011 5366 ac10 6c89 E..DJ....Sf..l.
0x0010 XXXX XXXX 4a25 0035 0030 cedc 4a25 0120
....J.5.0..J.. 0x0020 0001 0000 0000 0001
0765 7861 6d70 6c65 .........example 0x0030
0363 6f6d 0000 0100 0100 0029 1000 0000
.com.......).... 0x0040 0000 0000
8 / The State of the Internet / Security Threat
Advisory
9
Toolkit analysis
  • Once a flood command is received from the C2, the
    malware builds a AYN or DNS flood

9 / The State of the Internet / Security Threat
Advisory
10
Recommended DDoS detection methods
  • Function names build_iphdr and build_tcphdr are
    associated with building the appropriate TCP/IP
    headers.
  • Predefined data structures used include
    SIZE_TCP_H, SIZE_IP_H with options

10 / The State of the Internet / Security
Threat Advisory
11
Q3 2015 State of the Internet Security Report
  • Download the XOR DDoS Security Threat Advisory
    for full detection and removal recommendations
  • The report covers
  • Detailed explanation of threat
  • Indicators of infection
  • Payload decryption
  • Execution paths
  • Static characteristics
  • Snort and YARA rules
  • Foursteps for malware removal

11 / The State of the Internet / Security
Threat Advisory
12
About stateoftheinternet.com
  • StateoftheInternet.com, brought to you by Akamai,
    serves as the home for content and information
    intended to provide an informed view into online
    connectivity and cybersecurity trends as well as
    related metrics, including Internet connection
    speeds, broadband adoption, mobile usage,
    outages, and cyber-attacks and threats.
  • Visitors to www.stateoftheinternet.com can find
    current and archived versions of Akamais
    Security Threat Advisories as well as data
    visualizations and other resources designed to
    put context around the ever-changing security
    threats that infect the Internet landscape.

12 / The State of the Internet / Security
Threat Advisory
Write a Comment
User Comments (0)
About PowerShow.com