quinta-feira, 19 de fevereiro de 2015

DDoS Malware for Linux Distributed via SSH Brute Force Attacks

Researchers at FireEye Have been Monitoring a Campaign in which Malicious Actors Use, Secure Shell (SSH) Brute Force Attacks to Install a Piece of DDoS Malware on Linux and Other Types of Systems. The Malware Dubbed, 'XOR.DDoS', was 1st Spotted Back in September by the 'Malware Must Die' Research Group, which Linked it to a Chinese Actor. 'XOR.DDoS' is Different from Other DDoS Bots because it’s Written in C/C++ and it Uses a Rootkit Component for Persistence. FireEye Started Analyzing 'XOR DDoS' in Mid-November, When it Spotted SSH Brute Force Attacks against its Global Threat Research Network Coming from IP Addresses belonging to Hee Thai Limited, an Organization apparently Based in Hong Kong. The Security Firm Saw More than 20,000 SSH Login Attempts per Server in the First 24 Hours.


The 2nd Phase of the Campaign Took Place between November 19 and November 30. By the End of November, FireEye had Observed Roughly 150,000 Login Attempts from Almost Every IP Address belonging to Hee Thai Limited. The 3rd Phase, which according to Researchers is More “Chaotic” than the Previous 2, Started on December 7 and Continues Even Today. Nearly 1 Million Login Attempts had been Seen on Each Server by the End of January. In Case an SSH Password is Successfully Brute-Forced, the Attackers Log in to the Targeted Server and Execute SSH Shell Commands. They Extract Kernel Headers and Version Strings from the Targeted Device and Use them to Create Customized Malware that’s Compiled On-Demand on Sophisticated Build Systems. Once it’s Installed on a System, the 'XOR.DDoS' Malware Connects to its Command and Control (C&C) Server, from which it Gets a List of Targets. In Addition to DDoS Attacks, the Bot is also Capable of Downloading and Executing Arbitrary Binaries and it Can Replace itself with a Newer Variant by Using a Self-Update Feature. The Problem for Victims is that, the SSH Commands Used by the Attackers, Don’t Show Up in Logs, FireEye Said. “Linux servers running the standard OpenSSH server will only see a successful login in their logs, followed by an immediate logout and no further activity”, FireEye Researchers Explained in a Blog Post. “This commonly used feature of OpenSSH, interestingly enough, evades standard Linux logging facilities. The OpenSSH server does not log remote commands, even when logging is configured to the most verbose setting.”


The Rootkit Component, whose Main Goal is to Hide Indicators of Compromise at Kernel Level, is Loaded as a Loadable Kernel Module (LKM), the Security Firm Said. Researchers Have Spotted 2 Variants of 'XOR.DDoS' in the Wild. Both Variants Can be Compiled for x86, ARM and Other Platforms as well. Both 'Malware Must Die' and Russia-Based Security Firm, Dr. Web, Have been Monitoring the Activities of a Similar China-Based Group Dubbed, “ChinaZ”. 'Malware Must Die' Reported in Mid-January that, the Threat Actor had been Using the ShellShock Exploit to Deliver DDoS Malware.




Info Sources:

http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html

https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html

http://news.drweb.com/show/?i=9272&lng=en&c=5

http://blog.malwaremustdie.org/2015/01/mmd-0030-2015-new-elf-malware-on.html




0 comentários:

Enviar um comentário