xor ddos malware cloud security threat advisory slideshow
TRANSCRIPT
-
7/25/2019 XOR DDoS Malware Cloud Security Threat Advisory Slideshow
1/12
akamai.com
[XOR DDoS Threa t Adv isory ]
-
7/25/2019 XOR DDoS Malware Cloud Security Threat Advisory Slideshow
2/12
The XOR DDoS botnet has produced DDoS attacks from a
few Gbps to 150+ Gbps The gaming sector has been the primary target, followed by
educational institutions
The botnet has attacked up to 20 targets per day, 90% of
which were in Asia
XOR DDoS is an example of attackers building botnets ofLinux systems instead of Windows-based machines
The malware spreads via Secure Shell (SSH) services
susceptible to brute-force attacks due to weak passwords
What is the XOR DDoS threat
2 / [The State of the Internet] / Security Threat Advisory
-
7/25/2019 XOR DDoS Malware Cloud Security Threat Advisory Slideshow
3/12
Execution requires root privileges
The malware creates two copies of itself:
One copy in the /boot directory with a filename composed of10 random alpha characters
One copy in /lib/udev with the filename udev.
Binary infection indicators
3 / [The State of the Internet] / Security Threat Advisory
root@ubuntu:/boot# ls -la | egrep -i [a-z]{10}$-rwxr-x--- 1 root root 619760 Aug 12 07:56 snvnszjeez
root@ubuntu:/boot# ls -la /lib/udev/udev-r-------- 1 root root 619760 Aug 12 07:56/lib/udev/udev
-
7/25/2019 XOR DDoS Malware Cloud Security Threat Advisory Slideshow
4/12
Listing the open files with lsofshows the process that use
the malware
Binary infection indicators
root@ubuntu:/boot# lsof | grep snvnszjeesnvnszjee 5671 root cwd DIR 8,1 4096 918696 /home/user/Desktopsnvnszjee 5671 root rtd DIR 8,1 4096 2 /snvnszjee 5671 root txt REG 8,1 619760 802459 /boot/snvnszjeez
snvnszjee 5671 root 0u CHR 1,3 0t0 5626 /dev/nullsnvnszjee 5671 root 1u CHR 1,3 0t0 5626 /dev/nullsnvnszjee 5671 root 2u CHR 1,3 0t0 5626 /dev/nullsnvnszjee 5671 root 3u sock 0,7 0t0 446764 cant identify protocol
4 / [The State of the Internet] / Security Threat Advisory
-
7/25/2019 XOR DDoS Malware Cloud Security Threat Advisory Slideshow
5/12
Communications between the C2 and bot occur over TCP port 3502
The bot registers itself with the C2 using this payload
Toolkit analysis
5 / [The State of the Internet] / Security Threat Advisory
17:12:16.984371 IP x.x.x.x.49316 > y.y.y.y.3502: Flags [P.], seq 29:301, ack 1, win 29200, length 2720x0000: 4500 0138 4a85 4000 4006 8cbf c0a8 ac9e E..8J.@[email protected]: xxxx xxxx c0a4 0dae 148c 0d91 8b7e 29a8 .............~).0x0020: 5018 7210 bca1 0000 ab41 3246 4133 3641 P.r......A2FA36A0x0030: bebe c6ca 071f 7703 6c72 1f75 731e 5124 ......w.lr.us.Q$0x0040: 2f24 4b5c 5731 4630 4242 3246 4133 3641 /$K\W1F0BB2FA36A0x0050: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A0x0060: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A0x0070: 4141 3935 3458 7008 7442 3246 4133 3641 AA954Xp.tB2FA36A0x0080: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A0x0090: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A0x00a0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A0x00b0: 4141 3935 3431 771a 7070 0b72 4133 3641 AA9541w.pp.rA36A0x00c0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A
0x00d0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A0x00e0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A0x00f0: 4141 3935 3431 4659 2028 5a3c 235f 4c30 AA9541FY.(Z
-
7/25/2019 XOR DDoS Malware Cloud Security Threat Advisory Slideshow
6/12
Toolkit analysis
6 / [The State of the Internet] / Security Threat Advisory
The decrypted payload consists of the following:
Target IP address (4 bytes)
Target port (2 bytes)
Payload data
DDoS flood: SYN (05) or DNS (04) If the command is for a DNS flood, the DNS query will be
placed after the target port
Size of the payload for the attack
-
7/25/2019 XOR DDoS Malware Cloud Security Threat Advisory Slideshow
7/12
DDoS attack payloads
Sample payload of the SYN flood attack traffic captured in
a controlled lab environment
7 / [The State of the Internet] / Security Threat Advisory
17:49:33.969933 IP 172.16.108.137.49020 > X.X.X.X.80: Flags [S], seq3212631378:3212632377, win 65535, options [mss 1460,nop,nop,sackOK], length 9990x0000: 4500 0417 bf7c 0000 8006 da46 ac10 6c89 E....|.....F..l.0x0010: XXXX XXXX bf7c 1f90 bf7c dd52 0000 0000 .....|...|.R....0x0020: 7002 ffff 663e 0000 0204 05b4 0101 0402 p...f>............. 0x00 filled ...0x0400: 0000 0000 0000 0000 0000 0000 0000 0000 ................0x0410: 0000 0000 0000 00 .......
-
7/25/2019 XOR DDoS Malware Cloud Security Threat Advisory Slideshow
8/12
Sample payload of DNS flood attack
DDoS attack payloads
12:14:48.274303 IP 172.16.108.137.18981 > X.X.X.X.53: UDP, length 400x0000: 4500 0044 4a25 0000 8011 5366 ac10 6c89 E..DJ%....Sf..l.
0x0010: XXXX XXXX 4a25 0035 0030 cedc 4a25 0120 ....J%.5.0..J%..0x0020: 0001 0000 0000 0001 0765 7861 6d70 6c65 .........example0x0030: 0363 6f6d 0000 0100 0100 0029 1000 0000 .com.......)....0x0040: 0000 0000
8 / [The State of the Internet] / Security Threat Advisory
-
7/25/2019 XOR DDoS Malware Cloud Security Threat Advisory Slideshow
9/12
Once a flood command is received from the C2, the malware
builds a AYN or DNS flood
Toolkit analysis
9 / [The State of the Internet] / Security Threat Advisory
-
7/25/2019 XOR DDoS Malware Cloud Security Threat Advisory Slideshow
10/12
Function names build_iphdr and build_tcphdrare associated
with building the appropriate TCP/IP headers. Predefined data structures used include SIZE_TCP_H,
SIZE_IP_Hwith options
Recommended DDoS detection methods
10 / [The State of the Internet] / Security Threat Advisory
-
7/25/2019 XOR DDoS Malware Cloud Security Threat Advisory Slideshow
11/12
Download the XOR DDoS Secu rity Threat Advisoryfor ful l
detect ion and removal recommendat ions
The report covers:
Detailed explanation of threat
Indicators of infection Payload decryption
Execution paths
Static characteristics Snort and YARA rules
Foursteps for malware removal
Q3 2015 State of the Internet Security Report
11 / [The State of the Internet] / Security Threat Advisory
http://www.stateoftheinternet.com/xorddoshttp://www.stateoftheinternet.com/xorddos -
7/25/2019 XOR DDoS Malware Cloud Security Threat Advisory Slideshow
12/12
About stateoftheinternet.com
StateoftheInternet.com, brought to you by Akamai, serves as
the home for content and information intended to provide aninformed view into online connectivity and cybersecurity trendsas well as related metrics, including Internet connection speeds,broadband adoption, mobile usage, outages, and cyber-attacksand threats.
Visitors to www.stateoftheinternet.comcan find current andarchived versions of Akamais Security Threat Advisories aswell as data visualizations and other resources designed to putcontext around the ever-changing security threats that infect the
Internet landscape.
12 / [The State of the Internet] / Security Threat Advisory
http://www.stateoftheinternet.com/http://www.stateoftheinternet.com/