xor ddos malware cloud security threat advisory slideshow

7/25/2019 XOR DDoS Malware Cloud Security Threat Advisory Slideshow

1/12

akamai.com

[XOR DDoS Threa t Adv isory ]


2/12

The XOR DDoS botnet has produced DDoS attacks from a

few Gbps to 150+ Gbps The gaming sector has been the primary target, followed by

educational institutions

The botnet has attacked up to 20 targets per day, 90% of

which were in Asia

XOR DDoS is an example of attackers building botnets ofLinux systems instead of Windows-based machines

The malware spreads via Secure Shell (SSH) services

susceptible to brute-force attacks due to weak passwords

What is the XOR DDoS threat

2 / [The State of the Internet] / Security Threat Advisory


3/12

Execution requires root privileges

The malware creates two copies of itself:

One copy in the /boot directory with a filename composed of10 random alpha characters

One copy in /lib/udev with the filename udev.

Binary infection indicators


root@ubuntu:/boot# ls -la | egrep -i [a-z]{10}$-rwxr-x--- 1 root root 619760 Aug 12 07:56 snvnszjeez

root@ubuntu:/boot# ls -la /lib/udev/udev-r-------- 1 root root 619760 Aug 12 07:56/lib/udev/udev


4/12

Listing the open files with lsofshows the process that use

the malware

Binary infection indicators

root@ubuntu:/boot# lsof | grep snvnszjeesnvnszjee 5671 root cwd DIR 8,1 4096 918696 /home/user/Desktopsnvnszjee 5671 root rtd DIR 8,1 4096 2 /snvnszjee 5671 root txt REG 8,1 619760 802459 /boot/snvnszjeez

snvnszjee 5671 root 0u CHR 1,3 0t0 5626 /dev/nullsnvnszjee 5671 root 1u CHR 1,3 0t0 5626 /dev/nullsnvnszjee 5671 root 2u CHR 1,3 0t0 5626 /dev/nullsnvnszjee 5671 root 3u sock 0,7 0t0 446764 cant identify protocol



5/12

Communications between the C2 and bot occur over TCP port 3502

The bot registers itself with the C2 using this payload

Toolkit analysis


17:12:16.984371 IP x.x.x.x.49316 > y.y.y.y.3502: Flags [P.], seq 29:301, ack 1, win 29200, length 2720x0000: 4500 0138 4a85 4000 4006 8cbf c0a8 ac9e E..8J.@[email protected]: xxxx xxxx c0a4 0dae 148c 0d91 8b7e 29a8 .............~).0x0020: 5018 7210 bca1 0000 ab41 3246 4133 3641 P.r......A2FA36A0x0030: bebe c6ca 071f 7703 6c72 1f75 731e 5124 ......w.lr.us.Q$0x0040: 2f24 4b5c 5731 4630 4242 3246 4133 3641 /$K\W1F0BB2FA36A0x0050: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A0x0060: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A0x0070: 4141 3935 3458 7008 7442 3246 4133 3641 AA954Xp.tB2FA36A0x0080: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A0x0090: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A0x00a0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A0x00b0: 4141 3935 3431 771a 7070 0b72 4133 3641 AA9541w.pp.rA36A0x00c0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A

0x00d0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A0x00e0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A0x00f0: 4141 3935 3431 4659 2028 5a3c 235f 4c30 AA9541FY.(Z


6/12

Toolkit analysis


The decrypted payload consists of the following:

Target IP address (4 bytes)

Target port (2 bytes)

Payload data

DDoS flood: SYN (05) or DNS (04) If the command is for a DNS flood, the DNS query will be

placed after the target port

Size of the payload for the attack


7/12

DDoS attack payloads

Sample payload of the SYN flood attack traffic captured in

a controlled lab environment


17:49:33.969933 IP 172.16.108.137.49020 > X.X.X.X.80: Flags [S], seq3212631378:3212632377, win 65535, options [mss 1460,nop,nop,sackOK], length 9990x0000: 4500 0417 bf7c 0000 8006 da46 ac10 6c89 E....|.....F..l.0x0010: XXXX XXXX bf7c 1f90 bf7c dd52 0000 0000 .....|...|.R....0x0020: 7002 ffff 663e 0000 0204 05b4 0101 0402 p...f>............. 0x00 filled ...0x0400: 0000 0000 0000 0000 0000 0000 0000 0000 ................0x0410: 0000 0000 0000 00 .......


8/12

Sample payload of DNS flood attack

DDoS attack payloads

12:14:48.274303 IP 172.16.108.137.18981 > X.X.X.X.53: UDP, length 400x0000: 4500 0044 4a25 0000 8011 5366 ac10 6c89 E..DJ%....Sf..l.

0x0010: XXXX XXXX 4a25 0035 0030 cedc 4a25 0120 ....J%.5.0..J%..0x0020: 0001 0000 0000 0001 0765 7861 6d70 6c65 .........example0x0030: 0363 6f6d 0000 0100 0100 0029 1000 0000 .com.......)....0x0040: 0000 0000



9/12

Once a flood command is received from the C2, the malware

builds a AYN or DNS flood

Toolkit analysis



10/12

Function names build_iphdr and build_tcphdrare associated

with building the appropriate TCP/IP headers. Predefined data structures used include SIZE_TCP_H,

SIZE_IP_Hwith options

Recommended DDoS detection methods



11/12

Download the XOR DDoS Secu rity Threat Advisoryfor ful l

detect ion and removal recommendat ions

The report covers:

Detailed explanation of threat

Indicators of infection Payload decryption

Execution paths

Static characteristics Snort and YARA rules

Foursteps for malware removal

Q3 2015 State of the Internet Security Report

http://www.stateoftheinternet.com/xorddoshttp://www.stateoftheinternet.com/xorddos


12/12

About stateoftheinternet.com

StateoftheInternet.com, brought to you by Akamai, serves as

the home for content and information intended to provide aninformed view into online connectivity and cybersecurity trendsas well as related metrics, including Internet connection speeds,broadband adoption, mobile usage, outages, and cyber-attacksand threats.

Visitors to www.stateoftheinternet.comcan find current andarchived versions of Akamais Security Threat Advisories aswell as data visualizations and other resources designed to putcontext around the ever-changing security threats that infect the

Internet landscape.

http://www.stateoftheinternet.com/http://www.stateoftheinternet.com/

xor ddos malware cloud security threat advisory slideshow

Documents