Linux Malware used to target victims with 150 Gigs/second DDoS Attacks
Security experts at Akamai have discovered a malware which is called Linux XOR DDoS Botnet and used by the authors to run potent DDoS attacks against dozens of targets.
According to the security researchers the Linux Botnet, which is dubbed as XOR DDoS or Xor.DDoS botnet, targets gaming and education websites with potent DDoS attacks at 150 gigabytes per second of malicious traffic.
According to an advisory published by the content delivery network Akamai Technologies, the XOR DDoS botnet has# targeted at least 20 websites each day, nearly 90 percent of the targets are located in Asia.
“Akamai’s Security Intelligence Response Team (SIRT) is tracking XOR DDoS, a Trojan malware attackers are using to hijack Linux machines to include within a botnet for distributed denial of service (DDoS) campaigns. To date, the bandwidth of DDoS attacks coming from the XOR DDoS botnet has ranged from a few gigabits per second (Gbps) to 150+ Gbps. The gaming sector is the primary target, followed by educational institutions. Akamai SIRT released a threat advisory this morning authored by Security Response Engineer Tsvetelin “Vincent” Choranov.” states the advisory.
According to MalwareMustDie, the malware has been authored by unknown Chinese hackers and was spotted during the ?#?shellshock waves though it was NOT using #shellshock exploit itself. The researchers observed that the hackers masquerade the IP addresses of the machines involved in the DDoS attack, in some cases they used IP spoofing techniques to make it harder for victims to defend their infrastructure from the attack.
The XOR.DDoS rely on Linux machines that were compromised by cracking weak passwords used to protect the command shell. Once the attackers have obtained the access to the Linux machine whey use root privileges to launch a script used to download and executes a malicious binary file.
To check whether your Linux machine is infected by XOR.DDoS malware, use netstat to print any current network/internet connections. Use tcpdump to get a more detailed analysis of which packets you are sending out to identify unknown packets. Another indication is seeing processes running with random names and sudden new executable files created in /etc/init.d/ or /usr/bin/. If new entries will be/are added to your crontab as well (/etc/crontab) you are infected. You may use any command based on top or on ps to check for running malicious processes. If you are running the standard OpenSSH server you may see an unauthorised but successful login and immediate logout afterwards.
Malware removal
You can use this pointers to remove the XOR.DDoS.
- Identify malicious processes: run ps ef (ps stands for process status) to see which processes are running. Alternatively, you can use top or again ps with other parameters, for example ps ej or ps aux for a more complete, human readable table. Look for processes with random names; in our example it started with S90 and random letters afterwards, linked to files with all random names, as is the case in our example malware named bmtsfnlgxu. Once you’ve identified the malicious process(es), you can use the following command to find related files as well: for pid in $(ps -C -o pid=); do ls -la /proc/$pid/fd; done
Where is the name of the suspicious process. This command will display any open, related files. For example, for bmtsfnlgxu it would be:
for pid in $(ps -C bmtsfnlgxu -o pid=); do ls -la /proc/$pid/fd; done
- Identify malicious files: look for newly created files in /etc/init.d/, /boot/ and /usr/bin/. Again, look for files with random names. You may also use the command ls -lat | head to view recently changed files.
Check your crontab (/etc/crontab). Delete the malicious cron jobs, more specifically the cron.hourly jobs and in the case of Xor.DDoS they will be the following:*/3 * * * * root /etc/cron.hourly/cron.sh
*/3 * * * * root /etc/cron.hourly/udev.sh
Delete these two lines from your crontab. Don’t forget to save. Delete the related files, located in /etc/cron.hourly.
- Also double-check there are no malicious files or scripts in /etc/rc.d. If so, remove them as well.
- Stop and kill malicious processes: identify the parent process; usually it will be the one consuming the most CPU (which you can verify using any of the earlier commands, top being the easiest). Firstly, be sure to stop the parent process and wait for the child processes to die. Use the command: kill -STOP $pid
- When the child processes are dead, kill the parent by using: kill -9 $pid
Note: in case you see any other malicious processes, go through the last 2 commands again.
- Delete any leftover malicious files: locations where the malware may reside have been indicated before, but to be complete:
/boot/
/etc/init.d/
/etc/rc.d
/etc/rcX.d
/usr/bin/
/lib/
/lib/udev/udev
/lib/udev/debug
Refer Blaze’s security blog for complete analysis of XOR.DDoS.
