Title: XOR DDoS Malware | Cloud Security Threat Advisory | Slideshow
1XOR DDoS Threat Advisory
2What is the XOR DDoS threat
- The XOR DDoS botnet has produced DDoS attacks
from a few Gbps to 150 Gbps - The gaming sector has been the primary target,
followed by educational institutions - The botnet has attacked up to 20 targets per day,
90 of which were in Asia - XOR DDoS is an example of attackers building
botnets of Linux systems instead of Windows-based
machines - The malware spreads via Secure Shell (SSH)
services susceptible to brute-force attacks due
to weak passwords
2 / The State of the Internet / Security Threat
Advisory
3Binary infection indicators
- Execution requires root privileges
- The malware creates two copies of itself
- One copy in the /boot directory with a filename
composed of 10 random alpha characters - One copy in /lib/udev with the filename udev.
root_at_ubuntu/boot ls -la egrep -i
a-z10 -rwxr-x--- 1 root root 619760 Aug 12
0756 snvnszjeez root_at_ubuntu/boot ls -la
/lib/udev/udev -r-------- 1 root root 619760 Aug
12 0756 /lib/udev/udev
3 / The State of the Internet / Security Threat
Advisory
4Binary infection indicators
- Listing the open files with lsof shows the
process that use the malware
root_at_ubuntu/boot lsof grep snvnszjee
snvnszjee 5671 root cwd DIR 8,1 4096 918696
/home/user/Desktop snvnszjee 5671 root rtd DIR
8,1 4096 2 / snvnszjee 5671 root txt REG 8,1
619760 802459 /boot/snvnszjeez snvnszjee 5671
root 0u CHR 1,3 0t0 5626 /dev/null snvnszjee
5671 root 1u CHR 1,3 0t0 5626 /dev/null
snvnszjee 5671 root 2u CHR 1,3 0t0 5626
/dev/null snvnszjee 5671 root 3u sock 0,7 0t0
446764 cant identify protocol
4 / The State of the Internet / Security Threat
Advisory
5Toolkit analysis
- Communications between the C2 and bot occur over
TCP port 3502 - The bot registers itself with the C2 using this
payload
171216.984371 IP x.x.x.x.49316 gt y.y.y.y.3502
Flags P., seq 29301, ack 1, win 29200, length
272 0x0000 4500 0138 4a85 4000 4006 8cbf c0a8
ac9e E..8J._at_._at_....... 0x0010 xxxx xxxx c0a4
0dae 148c 0d91 8b7e 29a8 .............).
0x0020 5018 7210 bca1 0000 ab41 3246 4133 3641
P.r......A2FA36A 0x0030 bebe c6ca 071f 7703
6c72 1f75 731e 5124 ......w.lr.us.Q 0x0040
2f24 4b5c 5731 4630 4242 3246 4133 3641
/K\W1F0BB2FA36A 0x0050 4141 3935 3431 4630
4242 3246 4133 3641 AA9541F0BB2FA36A 0x0060
4141 3935 3431 4630 4242 3246 4133 3641
AA9541F0BB2FA36A 0x0070 4141 3935 3458 7008
7442 3246 4133 3641 AA954Xp.tB2FA36A 0x0080
4141 3935 3431 4630 4242 3246 4133 3641
AA9541F0BB2FA36A 0x0090 4141 3935 3431 4630
4242 3246 4133 3641 AA9541F0BB2FA36A 0x00a0
4141 3935 3431 4630 4242 3246 4133 3641
AA9541F0BB2FA36A 0x00b0 4141 3935 3431 771a
7070 0b72 4133 3641 AA9541w.pp.rA36A 0x00c0
4141 3935 3431 4630 4242 3246 4133 3641
AA9541F0BB2FA36A 0x00d0 4141 3935 3431 4630
4242 3246 4133 3641 AA9541F0BB2FA36A 0x00e0
4141 3935 3431 4630 4242 3246 4133 3641
AA9541F0BB2FA36A 0x00f0 4141 3935 3431 4659
2028 5a3c 235f 4c30 AA9541FY.(Zlt_L0 0x0100
2428 4c5b 4452 2453 272a 5e34 2f46 4e26
(LDRS4/FN 0x0110 282b 5846 4055 2530
1116 7312 0870 3641 (XF_at_U0..s..p6A 0x0120
4141 3935 3431 4630 736c 0368 7433 3641
AA9541F0sl.ht36A 0x0130 4141 3935 3431 4630
AA9541F0
5 / The State of the Internet / Security Threat
Advisory
6Toolkit analysis
- The decrypted payload consists of the following
- Target IP address (4 bytes)
- Target port (2 bytes)
- Payload data
- DDoS flood SYN (05) or DNS (04)
- If the command is for a DNS flood, the DNS query
will be placed after the target port - Size of the payload for the attack
6 / The State of the Internet / Security Threat
Advisory
7DDoS attack payloads
- Sample payload of the SYN flood attack traffic
captured in a controlled lab environment
174933.969933 IP 172.16.108.137.49020 gt
X.X.X.X.80 Flags S, seq 32126313783212632377,
win 65535, options mss 1460,nop,nop,sackOK,
length 999 0x0000 4500 0417 bf7c 0000 8006 da46
ac10 6c89 E.........F..l. 0x0010 XXXX XXXX
bf7c 1f90 bf7c dd52 0000 0000 .........R....
0x0020 7002 ffff 663e 0000 0204 05b4 0101 0402
p...fgt.......... ... 0x00 filled ... 0x0400
0000 0000 0000 0000 0000 0000 0000 0000
................ 0x0410 0000 0000 0000 00
.......
7 / The State of the Internet / Security Threat
Advisory
8DDoS attack payloads
- Sample payload of DNS flood attack
121448.274303 IP 172.16.108.137.18981 gt
X.X.X.X.53 UDP, length 40 0x0000 4500 0044
4a25 0000 8011 5366 ac10 6c89 E..DJ....Sf..l.
0x0010 XXXX XXXX 4a25 0035 0030 cedc 4a25 0120
....J.5.0..J.. 0x0020 0001 0000 0000 0001
0765 7861 6d70 6c65 .........example 0x0030
0363 6f6d 0000 0100 0100 0029 1000 0000
.com.......).... 0x0040 0000 0000
8 / The State of the Internet / Security Threat
Advisory
9Toolkit analysis
- Once a flood command is received from the C2, the
malware builds a AYN or DNS flood
9 / The State of the Internet / Security Threat
Advisory
10Recommended DDoS detection methods
- Function names build_iphdr and build_tcphdr are
associated with building the appropriate TCP/IP
headers. - Predefined data structures used include
SIZE_TCP_H, SIZE_IP_H with options
10 / The State of the Internet / Security
Threat Advisory
11Q3 2015 State of the Internet Security Report
- Download the XOR DDoS Security Threat Advisory
for full detection and removal recommendations - The report covers
- Detailed explanation of threat
- Indicators of infection
- Payload decryption
- Execution paths
- Static characteristics
- Snort and YARA rules
- Foursteps for malware removal
11 / The State of the Internet / Security
Threat Advisory
12About stateoftheinternet.com
- StateoftheInternet.com, brought to you by Akamai,
serves as the home for content and information
intended to provide an informed view into online
connectivity and cybersecurity trends as well as
related metrics, including Internet connection
speeds, broadband adoption, mobile usage,
outages, and cyber-attacks and threats. - Visitors to www.stateoftheinternet.com can find
current and archived versions of Akamais
Security Threat Advisories as well as data
visualizations and other resources designed to
put context around the ever-changing security
threats that infect the Internet landscape.
12 / The State of the Internet / Security
Threat Advisory