https://www.stateoftheinternet.com/resources-web-security-threat-advisories-2015-xor-ddos-attacks-linux-botnet-malware-removal-ddos-mitigation-yara-snort.html
Recently the Akamai Security Intelligence Response Team (SIRT) released its analysis of the XOR DDoS threat, Trojan malware used to infect and hijack Linux-based systems. Attacks from the XOR DDoS botnet have ranged from low, single-digit Gbps attacks to 150+ Gbps. Watch this brief slideshow for the fast facts, and then get detection and mitigation recommendations from the full XOR DDoS Threat Advisory at www.stateoftheinternet.com/xorddos.
2. • The XOR DDoS botnet has produced DDoS attacks from a
few Gbps to 150+ Gbps
• The gaming sector has been the primary target, followed by
educational institutions
• The botnet has attacked up to 20 targets per day, 90% of
which were in Asia
• XOR DDoS is an example of attackers building botnets of
Linux systems instead of Windows-based machines
• The malware spreads via Secure Shell (SSH) services
susceptible to brute-force attacks due to weak passwords
What is the XOR DDoS threat
2 / [The State of the Internet] / Security Threat Advisory
3. • Execution requires root privileges
• The malware creates two copies of itself:
• One copy in the /boot directory with a filename composed of
10 random alpha characters
• One copy in /lib/udev with the filename udev.
Binary infection indicators
3 / [The State of the Internet] / Security Threat Advisory
root@ubuntu:/boot# ls -la | egrep -i “ [a-z]{10}$”
-rwxr-x--- 1 root root 619760 Aug 12 07:56 snvnszjeez
root@ubuntu:/boot# ls -la /lib/udev/udev
-r-------- 1 root root 619760 Aug 12 07:56 /lib/udev/udev
4. • Listing the open files with lsof shows the process that use
the malware
Binary infection indicators
root@ubuntu:/boot# lsof | grep snvnszjee
snvnszjee 5671 root cwd DIR 8,1 4096 918696 /home/user/Desktop
snvnszjee 5671 root rtd DIR 8,1 4096 2 /
snvnszjee 5671 root txt REG 8,1 619760 802459 /boot/snvnszjeez
snvnszjee 5671 root 0u CHR 1,3 0t0 5626 /dev/null
snvnszjee 5671 root 1u CHR 1,3 0t0 5626 /dev/null
snvnszjee 5671 root 2u CHR 1,3 0t0 5626 /dev/null
snvnszjee 5671 root 3u sock 0,7 0t0 446764 can’t identify protocol
4 / [The State of the Internet] / Security Threat Advisory
6. Toolkit analysis
6 / [The State of the Internet] / Security Threat Advisory
• The decrypted payload consists of the following:
• Target IP address (4 bytes)
• Target port (2 bytes)
• Payload data
• DDoS flood: SYN (05) or DNS (04)
• If the command is for a DNS flood, the DNS query will be
placed after the target port
• Size of the payload for the attack
9. • Once a flood command is received from the C2, the malware
builds a AYN or DNS flood
Toolkit analysis
9 / [The State of the Internet] / Security Threat Advisory
10. • Function names build_iphdr and build_tcphdr are associated
with building the appropriate TCP/IP headers.
• Predefined data structures used include SIZE_TCP_H,
SIZE_IP_H with options
Recommended DDoS detection methods
10 / [The State of the Internet] / Security Threat Advisory
11. Download the XOR DDoS Security Threat Advisory for full
detection and removal recommendations
The report covers:
• Detailed explanation of threat
• Indicators of infection
• Payload decryption
• Execution paths
• Static characteristics
• Snort and YARA rules
• Foursteps for malware removal
Q3 2015 State of the Internet – Security Report
11 / [The State of the Internet] / Security Threat Advisory
12. About stateoftheinternet.com
StateoftheInternet.com, brought to you by Akamai, serves as
the home for content and information intended to provide an
informed view into online connectivity and cybersecurity trends
as well as related metrics, including Internet connection speeds,
broadband adoption, mobile usage, outages, and cyber-attacks
and threats.
Visitors to www.stateoftheinternet.com can find current and
archived versions of Akamai’s Security Threat Advisories as
well as data visualizations and other resources designed to put
context around the ever-changing security threats that infect the
Internet landscape.
12 / [The State of the Internet] / Security Threat Advisory