[ X OR DDoS T h r e a t A d v i sory] akamai.com



Similar documents
[state of the internet] / SECURITY / THREAT ADVISORY. Threat Advisory: BillGates Botnet

[state of the internet] / DDoS Reflection Vectors. Threat Advisory: NetBIOS name server, RPC portmap and Sentinel reflection DDoS

Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS

Exercise 7 Network Forensics

Radware Security Research. Reverse Engineering a Sophisticated DDoS Attack Bot. Author: Zeev Ravid

Spike DDoS Toolkit OVERVIEW INDICATORS OF BINARY INFECTION. TLP: GREEN GSI ID: 1078 Risk Factor - High

1! Network forensics

Chinese Chicken: Multiplatform DDoS botnets

Revealing Botnets Using Network Traffic Statistics

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

WIZnet S2E (Serial-to-Ethernet) Device s Configuration Tool Programming Guide

How To Mitigate A Ddos Attack

Acquia Cloud Edge Protect Powered by CloudFlare

CloudFlare advanced DDoS protection

This sequence diagram was generated with EventStudio System Designer (

The HoneyNet Project Scan Of The Month Scan 27

IptabLes/IptabLex DDoS Bots

Security A to Z the most important terms

CSCI 4250/6250 Fall 2015 Computer and Networks Security

A perspective to incident response or another set of recommendations for malware authors

DNS FLOODER V1.1. akamai s [state of the internet] / Threat Advisory

7.7 DDoS : Unknown Secrets and Botnet Counter-Attack. sionics & kaientt

DoS/DDoS Attacks and Protection on VoIP/UC

Multifaceted Approach to Understanding the Botnet Phenomenon

DDoS Attacks Can Take Down Your Online Services

STATISTICS ON BOTNET-ASSISTED DDOS ATTACKS IN Q1 2015

Arbor s Solution for ISP

JOOMLA REFLECTION DDOS-FOR-HIRE

DDoS Attacks & Mitigation

Unverified Fields - A Problem with Firewalls & Firewall Technology Today

File Transfer Protocol (FTP) Chuan-Ming Liu Computer Science and Information Engineering National Taipei University of Technology Fall 2007, TAIWAN

Phone Fax

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Chapter 11 Phase 5: Covering Tracks and Hiding

How To Protect A Dns Authority Server From A Flood Attack

Analysis of Network Packets. C DAC Bangalore Electronics City

Firewalls, Tunnels, and Network Intrusion Detection

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Networks and Security Lab. Network Forensics

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

10. Exercise: Automation in Incident Handling

Storm Worm & Botnet Analysis

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Networking for Caribbean Development

Detecting Botnets with NetFlow

Flow Based Traffic Analysis

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Tcpdump Lab: Wired Network Traffic Sniffing

Six Days in the Network Security Trenches at SC14. A Cray Graph Analytics Case Study

Stop DDoS Attacks in Minutes

7. Exercise: Network Forensic

FILE TRANSFER PROTOCOL INTRODUCTION TO FTP, THE INTERNET'S STANDARD FILE TRANSFER PROTOCOL

Overview. Protocol Analysis. Network Protocol Examples. Tools overview. Analysis Methods

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION

Know Your Enemy Lite: Proxy Threats - Socks v666

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028

Attack Lab: Attacks on TCP/IP Protocols


Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

SECURING APACHE : DOS & DDOS ATTACKS - II

How Do I Upgrade Firmware and Save Configurations on PowerConnect Switches?

Application Protocols for TCP/IP Administration

Cloud Security In Your Contingency Plans

7. Exercise: Network Forensic

Chapter 17. Transport-Level Security

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Description: Objective: Attending students will learn:

Network Security In Linux: Scanning and Hacking

Solution of Exercise Sheet 5

Context Threat Intelligence

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Denial of Service Attacks

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

Introduction to Operating Systems

RID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks. Kathleen M. Moriarty. MIT Lincoln Laboratory.

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

About Botnet, and the influence that Botnet gives to broadband ISP

CONFIGURING TCP/IP ADDRESSING AND SECURITY

Network Monitoring Tool with LAMP Architecture

DDoS Protecion Total AnnihilationD. DDoS Mitigation Lab

Network and Incident monitoring

Efficient Program Exploration by Input Fuzzing

Absolute Backdoor Revisited. Vitaliy Kamlyuk, Kaspersky Lab Sergey Belov, Kaspersky Lab Anibal Sacco, Cubica Labs

Preface. DirX Document Set

McAfee Labs Threat Advisory W32/Autorun.worm.aaeb-h

Introduction to Network Security Lab 1 - Wireshark

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Penetration Testing with Kali Linux

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Analysis of a DDoS Attack

Transcription:

[ X OR DDoS T h r e a t A d v i sory] akamai.com

What is the XOR DDoS threat The XOR DDoS botnet has produced DDoS attacks from a few Gbps to 150+ Gbps The gaming sector has been the primary target, followed by educational institutions The botnet has attacked up to 20 targets per day, 90% of which were in Asia XOR DDoS is an example of attackers building botnets of Linux systems instead of Windows-based machines The malware spreads via Secure Shell (SSH) services susceptible to brute-force attacks due to weak passwords 2 / [The State of the Internet] / Security Threat Advisory

Binary infection indicators Execution requires root privileges The malware creates two copies of itself: One copy in the /boot directory with a filename composed of 10 random alpha characters One copy in /lib/udev with the filename udev. root@ubuntu:/boot# ls -la egrep -i [a-z]{10}$ -rwxr-x--- 1 root root 619760 Aug 12 07:56 snvnszjeez root@ubuntu:/boot# ls -la /lib/udev/udev -r-------- 1 root root 619760 Aug 12 07:56 /lib/udev/udev 3 / [The State of the Internet] / Security Threat Advisory

Binary infection indicators Listing the open files with lsof shows the process that use the malware root@ubuntu:/boot# lsof grep snvnszjee snvnszjee 5671 root cwd DIR 8,1 4096 918696 /home/user/desktop snvnszjee 5671 root rtd DIR 8,1 4096 2 / snvnszjee 5671 root txt REG 8,1 619760 802459 /boot/snvnszjeez snvnszjee 5671 root 0u CHR 1,3 0t0 5626 /dev/null snvnszjee 5671 root 1u CHR 1,3 0t0 5626 /dev/null snvnszjee 5671 root 2u CHR 1,3 0t0 5626 /dev/null snvnszjee 5671 root 3u sock 0,7 0t0 446764 can t identify protocol 4 / [The State of the Internet] / Security Threat Advisory

Toolkit analysis Communications between the C2 and bot occur over TCP port 3502 The bot registers itself with the C2 using this payload 17:12:16.984371 IP x.x.x.x.49316 > y.y.y.y.3502: Flags [P.], seq 29:301, ack 1, win 29200, length 272 0x0000: 4500 0138 4a85 4000 4006 8cbf c0a8 ac9e E..8J.@.@... 0x0010: xxxx xxxx c0a4 0dae 148c 0d91 8b7e 29a8...~). 0x0020: 5018 7210 bca1 0000 ab41 3246 4133 3641 P.r...A2FA36A 0x0030: bebe c6ca 071f 7703 6c72 1f75 731e 5124...w.lr.us.Q$ 0x0040: 2f24 4b5c 5731 4630 4242 3246 4133 3641 /$K\W1F0BB2FA36A 0x0050: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x0060: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x0070: 4141 3935 3458 7008 7442 3246 4133 3641 AA954Xp.tB2FA36A 0x0080: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x0090: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x00a0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x00b0: 4141 3935 3431 771a 7070 0b72 4133 3641 AA9541w.pp.rA36A 0x00c0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x00d0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x00e0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x00f0: 4141 3935 3431 4659 2028 5a3c 235f 4c30 AA9541FY.(Z<#_L0 0x0100: 2428 4c5b 4452 2453 272a 5e34 2f46 4e26 $(L[DR$S *^4/FN& 0x0110: 282b 5846 4055 2530 1116 7312 0870 3641 (+XF@U%0..s..p6A 0x0120: 4141 3935 3431 4630 736c 0368 7433 3641 AA9541F0sl.ht36A 0x0130: 4141 3935 3431 4630 AA9541F0 5 / [The State of the Internet] / Security Threat Advisory

Toolkit analysis The decrypted payload consists of the following: Target IP address (4 bytes) Target port (2 bytes) Payload data DDoS flood: SYN (05) or DNS (04) If the command is for a DNS flood, the DNS query will be placed after the target port Size of the payload for the attack 6 / [The State of the Internet] / Security Threat Advisory

DDoS attack payloads Sample payload of the SYN flood attack traffic captured in a controlled lab environment 17:49:33.969933 IP 172.16.108.137.49020 > X.X.X.X.80: Flags [S], seq 3212631378:3212632377, win 65535, options [mss 1460,nop,nop,sackOK], length 999 0x0000: 4500 0417 bf7c 0000 8006 da46 ac10 6c89 E......F..l. 0x0010: XXXX XXXX bf7c 1f90 bf7c dd52 0000 0000.......R... 0x0020: 7002 ffff 663e 0000 0204 05b4 0101 0402 p...f>...... 0x00 filled... 0x0400: 0000 0000 0000 0000 0000 0000 0000 0000... 0x0410: 0000 0000 0000 00... 7 / [The State of the Internet] / Security Threat Advisory

DDoS attack payloads Sample payload of DNS flood attack 12:14:48.274303 IP 172.16.108.137.18981 > X.X.X.X.53: UDP, length 40 0x0000: 4500 0044 4a25 0000 8011 5366 ac10 6c89 E..DJ%...Sf..l. 0x0010: XXXX XXXX 4a25 0035 0030 cedc 4a25 0120...J%.5.0..J%.. 0x0020: 0001 0000 0000 0001 0765 7861 6d70 6c65...example 0x0030: 0363 6f6d 0000 0100 0100 0029 1000 0000.com...)... 0x0040: 0000 0000 8 / [The State of the Internet] / Security Threat Advisory

Toolkit analysis Once a flood command is received from the C2, the malware builds a AYN or DNS flood 9 / [The State of the Internet] / Security Threat Advisory

Recommended DDoS detection methods Function names build_iphdr and build_tcphdr are associated with building the appropriate TCP/IP headers. Predefined data structures used include SIZE_TCP_H, SIZE_IP_H with options 10 / [The State of the Internet] / Security Threat Advisory

Q3 2015 State of the Internet Security Report Download the XOR DDoS Security Threat Advisory for full detection and removal recommendations The report covers: Detailed explanation of threat Indicators of infection Payload decryption Execution paths Static characteristics Snort and YARA rules Foursteps for malware removal 11 / [The State of the Internet] / Security Threat Advisory

About stateoftheinternet.com StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats. Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai s Security Threat Advisories as well as data visualizations and other resources designed to put context around the ever-changing security threats that infect the Internet landscape. 12 / [The State of the Internet] / Security Threat Advisory

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information