Trojan Threatens Linux Networks

Extreme Hacking
Advanced Ethical Hacking Institute in Pune

Credits: Oliver Freeman

The Security Intelligence Response Team issued a high-risk threat advisory for XOR DDoS proliferation.

The XOR DDoS Trojan is used to hijack Linux servers to build a botnet for distributed denial-of-service attacks with SYN and DNS floods.

The massive Linux-based botnet, which they discovered last year, can take down websites under a flood of DDoS traffic exceeding 150 Gbps using heavy volumes of junk network traffic.

The malware compromises Linux systems using network routers and other embedded devices to apply brute-force attacks to gain Secure Shell access.

How severe is the risk? The risk for infection depends on if root authentication is enabled using a weak password. Though this process has been widely spoken about, the XOR DDoS botnet is a prime example of how security best practices are still being disregarded.

 Attack Vectors

The bandwidth of the DDoS attacks from the XOR DDoS botnet ranges from a few gigabits per second to more than 150 Gbps. It attacks up to 20 targets per day, mostly gaming websites and educational institutions.

The SIRT mitigated two DDoS attacks orchestrated by the XOR DDoS botnet in August. One of the attacks measured nearly 50 Gbps, and the other was almost 100 Gbps. The malware’s origin is Asian, based on the command-and-control IP addresses and source IP addresses of the attack payloads About 90 percent of the attacks have occurred in Asia.

News of the XOR DDoS Secure Shell login vector used to distribute malware is especially troubling since the attacks come on the heels of a series of high-profile hacks and breaches caused by insufficiently secured credentials. The explosion of IoT-style devices is only broadening the attack surface further.
How It Works

The botnet’s attack methods are pretty significant. It spreads by using SSH brute force as its point of entry, then executes commands to download itself to a computer. If the password is long and complex or PEM (Privacy Enhanced Mail) keys are being used, the chances of infection are low. This reinforces best practices. The malware doesn’t spread via a host vulnerability. Instead, it populates via Secure Shell services that are susceptible to brute-force attacks because of weak passwords. Once the attackers gain login credentials, they use root privileges to run a Bash shell script that downloads and executes the malicious binary.
Persistent Perp

The malicious binary code creates two copies of itself. One is in the /boot directory with a filename composed of 10 random alpha characters. The second copy is in /lib/udev with a filename of “udev.”

The copy in /boot allows reading, writing and execution. The copy in /lib/udev only has read permissions. Only the root user only can access both copies.

To ensure persistence, the malware executes multiple short-lived processes. That determines whether the main process is running. If not, it creates and executes a new copy in /boot using a new randomized 10-character name.

That process is hidden using common rootkit techniques. Using tools that show running processes, the malware masks itself using the name of a common Linux tool such as “top,” “grep,” “ls” or “ifconfig,” with an assortment of randomized flags to further blend in on a busy system.

Persistence is maintained after reboot. The bot creates a startup script in /etc/init.d directory using the same filename as the malware dropped in /boot.
Risk Factors

The primary risk from an XOR DDoS attack is being taken offline. Another concern is the availability of computing resources. This type of cyberattack is so successful largely because of careless password management. To simplify administration, many IT teams use the same local password across multiple servers, service accounts and applications and rarely, if ever, change them en masse. This problem can lead to a variety of malicious activities and can result in an increased success rate for these types of brute-force attacks.

IT departments often ignore the type of help already available to mitigate DDoS attacks. DDoS is the bane of the Internet. There are whole businesses out there to help you mitigate these types of risk. If your Web presence is not behind a service like these, then you need to move to one immediately if you want your Web presence to stay operational.

Several cloud or on-site DDoS mitigation solutions can protect an organization from the damage this botnet can potentially cause. The SIRT included recommended remediations for malware infection and detection against the DDoS attack payloads in its advisory. We recommend network assessments to be conducted regularly, as well as constant monitoring of network traffic and the implementation of strong security policies.

Companies should purchase redundant connections or get a DoS protection provider to ensure that actions can be taken outside of their networks. Plus, companies need to be careful when relying on firewalls as a method of blocking these types of attacks. Most companies see availability as the highest concern and therefore fail over if the firewall gets overutilized. Unfortunately for a website chosen as a target of the botnet, defending against DDoS attacks can be difficult. The sheer size of the botnet can overwhelm most high-speed Internet connections, and it may require the cooperation of multiple network operators and service providers to mitigate a DDoS attack launched by the botnet.

Sites with network devices or firewalls that can recognize and mitigate against a DDoS attack have a better chance at weathering an attack without requiring outside assistance.
Passwords Prevent Problems

To reduce exposure to this malware, Linux administrators should ensure that all passwords are complex and unique.

Remote SSH logins should be restricted by a firewall to only those IP addresses that are authorized to access. If remote SSH is not required, the service should be blocked and disabled.

It also is recommended that Linux administrators enable for interactive remote SSH logins a two-factor authentication mechanism, such as Google Authenticator, which is available as an optional package for many popular Linux distributions. Additionally, Linux administrators should scan their systems regularly for malware.