Xor ddos malware cloud security threat advisory slideshow

Page 1

[XOR DDoS Threat Advisory]

akamai.com


What is the XOR DDoS threat

• The XOR DDoS botnet has produced DDoS attacks from a few Gbps to 150+ Gbps • The gaming sector has been the primary target, followed by educational institutions • The botnet has attacked up to 20 targets per day, 90% of which were in Asia

• XOR DDoS is an example of attackers building botnets of Linux systems instead of Windows-based machines • The malware spreads via Secure Shell (SSH) services susceptible to brute-force attacks due to weak passwords

2 / [The State of the Internet] / Security Threat Advisory


Binary infection indicators

• Execution requires root privileges • The malware creates two copies of itself: • One copy in the /boot directory with a filename composed of 10 random alpha characters • One copy in /lib/udev with the filename udev. root@ubuntu:/boot# ls -la | egrep -i “ [a-z]{10}$” -rwxr-x--- 1 root root 619760 Aug 12 07:56 snvnszjeez root@ubuntu:/boot# ls -la /lib/udev/udev -r-------- 1 root root 619760 Aug 12 07:56 /lib/udev/udev

3 / [The State of the Internet] / Security Threat Advisory


Binary infection indicators

• Listing the open files with lsof shows the process that use the malware root@ubuntu:/boot# lsof | grep snvnszjee snvnszjee 5671 root cwd DIR 8,1 4096 918696 /home/user/Desktop snvnszjee 5671 root rtd DIR 8,1 4096 2 / snvnszjee 5671 root txt REG 8,1 619760 802459 /boot/snvnszjeez snvnszjee 5671 root 0u CHR 1,3 0t0 5626 /dev/null snvnszjee 5671 root 1u CHR 1,3 0t0 5626 /dev/null snvnszjee 5671 root 2u CHR 1,3 0t0 5626 /dev/null snvnszjee 5671 root 3u sock 0,7 0t0 446764 can’t identify protocol

4 / [The State of the Internet] / Security Threat Advisory


Toolkit analysis • Communications between the C2 and bot occur over TCP port 3502 • The bot registers itself with the C2 using this payload 17:12:16.984371 IP x.x.x.x.49316 > y.y.y.y.3502: Flags [P.], seq 29:301, ack 1, win 29200, length 272 0x0000: 4500 0138 4a85 4000 4006 8cbf c0a8 ac9e E..8J.@.@....... 0x0010: xxxx xxxx c0a4 0dae 148c 0d91 8b7e 29a8 .............~). 0x0020: 5018 7210 bca1 0000 ab41 3246 4133 3641 P.r......A2FA36A 0x0030: bebe c6ca 071f 7703 6c72 1f75 731e 5124 ......w.lr.us.Q$ 0x0040: 2f24 4b5c 5731 4630 4242 3246 4133 3641 /$K\W1F0BB2FA36A 0x0050: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x0060: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x0070: 4141 3935 3458 7008 7442 3246 4133 3641 AA954Xp.tB2FA36A 0x0080: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x0090: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x00a0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x00b0: 4141 3935 3431 771a 7070 0b72 4133 3641 AA9541w.pp.rA36A 0x00c0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x00d0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x00e0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x00f0: 4141 3935 3431 4659 2028 5a3c 235f 4c30 AA9541FY.(Z<#_L0 0x0100: 2428 4c5b 4452 2453 272a 5e34 2f46 4e26 $(L[DR$S’*^4/FN& 0x0110: 282b 5846 4055 2530 1116 7312 0870 3641 (+XF@U%0..s..p6A 0x0120: 4141 3935 3431 4630 736c 0368 7433 3641 AA9541F0sl.ht36A 0x0130: 4141 3935 3431 4630 AA9541F0

5 / [The State of the Internet] / Security Threat Advisory


Toolkit analysis

• The decrypted payload consists of the following: • Target IP address (4 bytes)

• Target port (2 bytes) • Payload data • DDoS flood: SYN (05) or DNS (04)

• If the command is for a DNS flood, the DNS query will be placed after the target port • Size of the payload for the attack

6 / [The State of the Internet] / Security Threat Advisory


DDoS attack payloads

• Sample payload of the SYN flood attack traffic captured in a controlled lab environment

17:49:33.969933 IP 172.16.108.137.49020 > X.X.X.X.80: Flags [S], seq 3212631378:3212632377, win 65535, options [mss 1460,nop,nop,sackOK], length 999 0x0000: 4500 0417 bf7c 0000 8006 da46 ac10 6c89 E....|.....F..l. 0x0010: XXXX XXXX bf7c 1f90 bf7c dd52 0000 0000 .....|...|.R.... 0x0020: 7002 ffff 663e 0000 0204 05b4 0101 0402 p...f>.......... ... 0x00 filled ... 0x0400: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0410: 0000 0000 0000 00 .......

7 / [The State of the Internet] / Security Threat Advisory


DDoS attack payloads

• Sample payload of DNS flood attack

12:14:48.274303 IP 172.16.108.137.18981 > X.X.X.X.53: UDP, length 40 0x0000: 4500 0044 4a25 0000 8011 5366 ac10 6c89 E..DJ%....Sf..l. 0x0010: XXXX XXXX 4a25 0035 0030 cedc 4a25 0120 ....J%.5.0..J%.. 0x0020: 0001 0000 0000 0001 0765 7861 6d70 6c65 .........example 0x0030: 0363 6f6d 0000 0100 0100 0029 1000 0000 .com.......).... 0x0040: 0000 0000

8 / [The State of the Internet] / Security Threat Advisory


Toolkit analysis •

Once a flood command is received from the C2, the malware builds a AYN or DNS flood

9 / [The State of the Internet] / Security Threat Advisory


Recommended DDoS detection methods • Function names build_iphdr and build_tcphdr are associated with building the appropriate TCP/IP headers. • Predefined data structures used include SIZE_TCP_H, SIZE_IP_H with options

10 / [The State of the Internet] / Security Threat Advisory


Q3 2015 State of the Internet – Security Report

Download the XOR DDoS Security Threat Advisory for full detection and removal recommendations

The report covers: •

Detailed explanation of threat

Indicators of infection

Payload decryption

Execution paths

Static characteristics

Snort and YARA rules

Foursteps for malware removal

11 / [The State of the Internet] / Security Threat Advisory


About stateoftheinternet.com

StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats. Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai’s Security Threat Advisories as well as data visualizations and other resources designed to put context around the ever-changing security threats that infect the Internet landscape.

12 / [The State of the Internet] / Security Threat Advisory


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.