[ X OR DDoS T h r e a t A d v i sory] akamai.com

Transcription

1 [ X OR DDoS T h r e a t A d v i sory] akamai.com

2 What is the XOR DDoS threat The XOR DDoS botnet has produced DDoS attacks from a few Gbps to 150+ Gbps The gaming sector has been the primary target, followed by educational institutions The botnet has attacked up to 20 targets per day, 90% of which were in Asia XOR DDoS is an example of attackers building botnets of Linux systems instead of Windows-based machines The malware spreads via Secure Shell (SSH) services susceptible to brute-force attacks due to weak passwords 2 / [The State of the Internet] / Security Threat Advisory

3 Binary infection indicators Execution requires root privileges The malware creates two copies of itself: One copy in the /boot directory with a filename composed of 10 random alpha characters One copy in /lib/udev with the filename udev. root@ubuntu:/boot# ls -la egrep -i [a-z]{10}$ -rwxr-x--- 1 root root Aug 12 07:56 snvnszjeez root@ubuntu:/boot# ls -la /lib/udev/udev -r root root Aug 12 07:56 /lib/udev/udev 3 / [The State of the Internet] / Security Threat Advisory

4 Binary infection indicators Listing the open files with lsof shows the process that use the malware lsof grep snvnszjee snvnszjee 5671 root cwd DIR 8, /home/user/desktop snvnszjee 5671 root rtd DIR 8, / snvnszjee 5671 root txt REG 8, /boot/snvnszjeez snvnszjee 5671 root 0u CHR 1,3 0t /dev/null snvnszjee 5671 root 1u CHR 1,3 0t /dev/null snvnszjee 5671 root 2u CHR 1,3 0t /dev/null snvnszjee 5671 root 3u sock 0,7 0t can t identify protocol 4 / [The State of the Internet] / Security Threat Advisory

5 Toolkit analysis Communications between the C2 and bot occur over TCP port 3502 The bot registers itself with the C2 using this payload 17:12: IP x.x.x.x > y.y.y.y.3502: Flags [P.], seq 29:301, ack 1, win 29200, length 272 0x0000: a cbf c0a8 ac9e 0x0010: xxxx xxxx c0a4 0dae 148c 0d91 8b7e 29a8...~). 0x0020: bca ab P.r...A2FA36A 0x0030: bebe c6ca 071f c72 1f75 731e w.lr.us.Q$ 0x0040: 2f24 4b5c /$K\W1F0BB2FA36A 0x0050: AA9541F0BB2FA36A 0x0060: AA9541F0BB2FA36A 0x0070: AA954Xp.tB2FA36A 0x0080: AA9541F0BB2FA36A 0x0090: AA9541F0BB2FA36A 0x00a0: AA9541F0BB2FA36A 0x00b0: a b AA9541w.pp.rA36A 0x00c0: AA9541F0BB2FA36A 0x00d0: AA9541F0BB2FA36A 0x00e0: AA9541F0BB2FA36A 0x00f0: a3c 235f 4c30 AA9541FY.(Z<#_L0 0x0100: c5b a 5e34 2f46 4e26 $(L[DR$S *^4/FN& 0x0110: 282b x0120: c AA9541F0sl.ht36A 0x0130: AA9541F0 5 / [The State of the Internet] / Security Threat Advisory

6 Toolkit analysis The decrypted payload consists of the following: Target IP address (4 bytes) Target port (2 bytes) Payload data DDoS flood: SYN (05) or DNS (04) If the command is for a DNS flood, the DNS query will be placed after the target port Size of the payload for the attack 6 / [The State of the Internet] / Security Threat Advisory

7 DDoS attack payloads Sample payload of the SYN flood attack traffic captured in a controlled lab environment 17:49: IP > X.X.X.X.80: Flags [S], seq : , win 65535, options [mss 1460,nop,nop,sackOK], length 999 0x0000: bf7c da46 ac10 6c89 E......F..l. 0x0010: XXXX XXXX bf7c 1f90 bf7c dd R... 0x0020: 7002 ffff 663e b p...f> x00 filled... 0x0400: x0410: / [The State of the Internet] / Security Threat Advisory

8 DDoS attack payloads Sample payload of DNS flood attack 12:14: IP > X.X.X.X.53: UDP, length 40 0x0000: a ac10 6c89 E..DJ%...Sf..l. 0x0010: XXXX XXXX 4a cedc 4a J%.5.0..J%.. 0x0020: d70 6c65...example 0x0030: f6d com...)... 0x0040: / [The State of the Internet] / Security Threat Advisory

9 Toolkit analysis Once a flood command is received from the C2, the malware builds a AYN or DNS flood 9 / [The State of the Internet] / Security Threat Advisory

10 Recommended DDoS detection methods Function names build_iphdr and build_tcphdr are associated with building the appropriate TCP/IP headers. Predefined data structures used include SIZE_TCP_H, SIZE_IP_H with options 10 / [The State of the Internet] / Security Threat Advisory

11 Q State of the Internet Security Report Download the XOR DDoS Security Threat Advisory for full detection and removal recommendations The report covers: Detailed explanation of threat Indicators of infection Payload decryption Execution paths Static characteristics Snort and YARA rules Foursteps for malware removal 11 / [The State of the Internet] / Security Threat Advisory

12 About stateoftheinternet.com StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats. Visitors to can find current and archived versions of Akamai s Security Threat Advisories as well as data visualizations and other resources designed to put context around the ever-changing security threats that infect the Internet landscape. 12 / [The State of the Internet] / Security Threat Advisory