Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

China.z / Trojan.XorDDOS - Analysis of a hack

1,931 views

Published on

Analyzing the hack of a Debian based system with the Trojan.XorDDOS witg some China.z thrown in the mix.

Published in: Technology
  • Be the first to comment

China.z / Trojan.XorDDOS - Analysis of a hack

  1. 1. China.Z / XorDDOS Analysis of a hack (updated) hendrik.vanbelleghem@gmail.com V1.2– 13 May 2015
  2. 2. Disclaimer • Initial evidence pointed to abuse of ShellShock – China.Z • More detailed investigation pointed to bruteforce attack on SSH root passwords • ClamAV confirmed this by finding XorDDOS
  3. 3. The host • Debian Wheezy 64-bit – With all updates – Bash 4.2.37(1) – should be OK • LAMP • Firewall configured – Incoming allowed: HTTP, SSH, phpMyAdmin – Any outgoing • Public IP (Monitored by hosting company) • No FQDN (yet) • No activity (yet) • Console (VNC) access
  4. 4. The Symptoms • 100% CPU usage • Network access disabled due to DDoS Activity
  5. 5. The Symptoms • 1 Process taking all resources – Executable with randomized filename • Startup script for file • Nothing in command history • No apparent leftover files • No apparent hosting of malware / other • Root password still works • Client connection on random port • Server connection listening on random port
  6. 6. Initial Troubleshooting • Kill process – New process recreated automatically with randomized filename. Startup script recreated. – New randomized port server & client started • Delete executable – New process recreated automatically with randomized filename. Startup script recreated. Executable recreated. – New randomized port server & client started • Block server & client ports (iptables) – New randomized port server & client started • Backup executable & startup script • Backup command history • Backup Logfiles (HTTP as first guess) – /var/log/apache
  7. 7. Troubleshooting – Step 2 • Review logs – HTTP log shows port scan – HTTP log shows attack • Dump last changed files – find / -mtime -10 | grep –v dev | grep –v proc > recent_files.txt • Review recently modified files – /etc/cron.hourly/*loader*.sh – /etc/crontab (running *loader*) – /bin/*loader* (disguised as library) – /bin/*process* (randomized name) – /etc/init.d/*process* (randomized name) – /etc/rc?.d/S02*process* (randomized name)
  8. 8. Troubleshooting – Juicy Bits • Portscan before and after attack
  9. 9. Troubleshooting – Juicy Bits • Attack was not targetting CGI scripts – Initial approach with ShellShock • Attack shows signature – “China.Z”
  10. 10. Troubleshooting – Step 3 • Attacked used wget – Removed wget • Backup of cron scripts & executable – Removed files • Hard shutdown • Startup in single mode *fingers crossed* – No trojan • Disable network
  11. 11. Troubleshooting – Step 4 • Double-check bootscripts • Double-check netstat • Double-check logs • Disable Apache • Disable SSH • Installed & ran ClamAV – Cleaned up everything • Apply modsecurity • Enable all & reboot • *Fingers crossed*
  12. 12. Recommendations • Apply latest updates • Patch bash • Run bash in privileged mode • Limit incoming traffic (iptables) – DUH! • Limit outgoing traffic (iptables) • Block 121.12.168.0/21 & others (check logs) • Apply mod_security rules – OWASP • Get rid of wget if you don’t need it • Scan your system - ClamAV • Run Vulnerability tests!
  13. 13. Scan Results • ClamAV Detects trojan as Linux.Trojan.Xorddos • Brute force SSH password approach UPDATE!
  14. 14. UPDATE! Recommendations • Check /var/log/auth • Restrict root login on SSH • Restrict SSH access to limited Ips • Set up reverse SSH tunnels • Use shared keys • Update passwords
  15. 15. UPDATE! More reading – XorDDOS • Fuzzy reversing a new China ELF "Linux/XOR.DDoS" – http://blog.malwaremustdie.org/2014/09/mmd-0028-2014- fuzzy-reversing-new-china.html • Linux DDoS Trojan hiding itself with an embedded rootkit – https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding- itself-with-an-embedded-rootkit/ • DDoS Malware for Linux Distributed via SSH Brute Force Attacks – http://www.securityweek.com/ddos-malware-linux- distributed-ssh-brute-force-attacks • Symantec: Linux.Xorddos – http://www.symantec.com/security_response/writeup.jsp? docid=2015-010823-3741-99
  16. 16. More reading – China.Z • New ELF Malware on ShellShock – http://blog.malwaremustdie.org/2015/01/mmd-0030-2015-new-elf- • ShellShock Deception with Echo – http://neonprimetime.blogspot.be/2015/03/shellshock-deception-wi • Analysis of China.Z – http://users.jyu.fi/~sapekiis/china-z/index.html
  17. 17. More reading - ShellShock • Debian Announcement on ShellShock – https://lists.debian.org/debian-security- announce/2014/msg00220.html • Using ModSecurity to prevent ShellShock – https://access.redhat.com/articles/1212303 • How ShellShock can be exploited – http://security.stackexchange.com/questions/68122/what-is- a-specific-example-of-how-the-shellshock-bash-bug-could-be- exploited • Inside ShellShock – https://blog.cloudflare.com/inside-shellshock/ • Mitigating the ShellShock Vulnerability – https://access.redhat.com/articles/1212303

×