SlideShare a Scribd company logo

Xor d do s malware cloud security threat advisory slideshow

Akamai
Akamai

https://www.stateoftheinternet.com/resources-web-security-threat-advisories-2015-xor-ddos-attacks-linux-botnet-malware-removal-ddos-mitigation-yara-snort.html Recently the Akamai Security Intelligence Response Team (SIRT) released its analysis of the XOR DDoS threat, Trojan malware used to infect and hijack Linux-based systems. Attacks from the XOR DDoS botnet have ranged from low, single-digit Gbps attacks to 150+ Gbps. Watch this brief slideshow for the fast facts, and then get detection and mitigation recommendations from the full XOR DDoS Threat Advisory at www.stateoftheinternet.com/xorddos.

Business
1 of 12
Download to read offline
akamai.com [XOR DDoS Threat Advisory]
• The XOR DDoS botnet has produced DDoS attacks from a few Gbps to 150+ Gbps • The gaming sector has been the primary target, followed by educational institutions • The botnet has attacked up to 20 targets per day, 90% of which were in Asia • XOR DDoS is an example of attackers building botnets of Linux systems instead of Windows-based machines • The malware spreads via Secure Shell (SSH) services susceptible to brute-force attacks due to weak passwords What is the XOR DDoS threat 2 / [The State of the Internet] / Security Threat Advisory
• Execution requires root privileges • The malware creates two copies of itself: • One copy in the /boot directory with a filename composed of 10 random alpha characters • One copy in /lib/udev with the filename udev. Binary infection indicators 3 / [The State of the Internet] / Security Threat Advisory root@ubuntu:/boot# ls -la | egrep -i “ [a-z]{10}$” -rwxr-x--- 1 root root 619760 Aug 12 07:56 snvnszjeez root@ubuntu:/boot# ls -la /lib/udev/udev -r-------- 1 root root 619760 Aug 12 07:56 /lib/udev/udev
• Listing the open files with lsof shows the process that use the malware Binary infection indicators root@ubuntu:/boot# lsof | grep snvnszjee snvnszjee 5671 root cwd DIR 8,1 4096 918696 /home/user/Desktop snvnszjee 5671 root rtd DIR 8,1 4096 2 / snvnszjee 5671 root txt REG 8,1 619760 802459 /boot/snvnszjeez snvnszjee 5671 root 0u CHR 1,3 0t0 5626 /dev/null snvnszjee 5671 root 1u CHR 1,3 0t0 5626 /dev/null snvnszjee 5671 root 2u CHR 1,3 0t0 5626 /dev/null snvnszjee 5671 root 3u sock 0,7 0t0 446764 can’t identify protocol 4 / [The State of the Internet] / Security Threat Advisory
• Communications between the C2 and bot occur over TCP port 3502 • The bot registers itself with the C2 using this payload Toolkit analysis 5 / [The State of the Internet] / Security Threat Advisory 17:12:16.984371 IP x.x.x.x.49316 > y.y.y.y.3502: Flags [P.], seq 29:301, ack 1, win 29200, length 272 0x0000: 4500 0138 4a85 4000 4006 8cbf c0a8 ac9e E..8J.@.@....... 0x0010: xxxx xxxx c0a4 0dae 148c 0d91 8b7e 29a8 .............~). 0x0020: 5018 7210 bca1 0000 ab41 3246 4133 3641 P.r......A2FA36A 0x0030: bebe c6ca 071f 7703 6c72 1f75 731e 5124 ......w.lr.us.Q$ 0x0040: 2f24 4b5c 5731 4630 4242 3246 4133 3641 /$KW1F0BB2FA36A 0x0050: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x0060: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x0070: 4141 3935 3458 7008 7442 3246 4133 3641 AA954Xp.tB2FA36A 0x0080: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x0090: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x00a0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x00b0: 4141 3935 3431 771a 7070 0b72 4133 3641 AA9541w.pp.rA36A 0x00c0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x00d0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x00e0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x00f0: 4141 3935 3431 4659 2028 5a3c 235f 4c30 AA9541FY.(Z<#_L0 0x0100: 2428 4c5b 4452 2453 272a 5e34 2f46 4e26 $(L[DR$S’*^4/FN& 0x0110: 282b 5846 4055 2530 1116 7312 0870 3641 (+XF@U%0..s..p6A 0x0120: 4141 3935 3431 4630 736c 0368 7433 3641 AA9541F0sl.ht36A 0x0130: 4141 3935 3431 4630 AA9541F0
Toolkit analysis 6 / [The State of the Internet] / Security Threat Advisory • The decrypted payload consists of the following: • Target IP address (4 bytes) • Target port (2 bytes) • Payload data • DDoS flood: SYN (05) or DNS (04) • If the command is for a DNS flood, the DNS query will be placed after the target port • Size of the payload for the attack
DDoS attack payloads • Sample payload of the SYN flood attack traffic captured in a controlled lab environment 7 / [The State of the Internet] / Security Threat Advisory 17:49:33.969933 IP 172.16.108.137.49020 > X.X.X.X.80: Flags [S], seq 3212631378:3212632377, win 65535, options [mss 1460,nop,nop,sackOK], length 999 0x0000: 4500 0417 bf7c 0000 8006 da46 ac10 6c89 E....|.....F..l. 0x0010: XXXX XXXX bf7c 1f90 bf7c dd52 0000 0000 .....|...|.R.... 0x0020: 7002 ffff 663e 0000 0204 05b4 0101 0402 p...f>.......... ... 0x00 filled ... 0x0400: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0410: 0000 0000 0000 00 .......
• Sample payload of DNS flood attack DDoS attack payloads 12:14:48.274303 IP 172.16.108.137.18981 > X.X.X.X.53: UDP, length 40 0x0000: 4500 0044 4a25 0000 8011 5366 ac10 6c89 E..DJ%....Sf..l. 0x0010: XXXX XXXX 4a25 0035 0030 cedc 4a25 0120 ....J%.5.0..J%.. 0x0020: 0001 0000 0000 0001 0765 7861 6d70 6c65 .........example 0x0030: 0363 6f6d 0000 0100 0100 0029 1000 0000 .com.......).... 0x0040: 0000 0000 8 / [The State of the Internet] / Security Threat Advisory
• Once a flood command is received from the C2, the malware builds a AYN or DNS flood Toolkit analysis 9 / [The State of the Internet] / Security Threat Advisory
• Function names build_iphdr and build_tcphdr are associated with building the appropriate TCP/IP headers. • Predefined data structures used include SIZE_TCP_H, SIZE_IP_H with options Recommended DDoS detection methods 10 / [The State of the Internet] / Security Threat Advisory
Download the XOR DDoS Security Threat Advisory for full detection and removal recommendations The report covers: • Detailed explanation of threat • Indicators of infection • Payload decryption • Execution paths • Static characteristics • Snort and YARA rules • Foursteps for malware removal Q3 2015 State of the Internet – Security Report 11 / [The State of the Internet] / Security Threat Advisory
About stateoftheinternet.com StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats. Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai’s Security Threat Advisories as well as data visualizations and other resources designed to put context around the ever-changing security threats that infect the Internet landscape. 12 / [The State of the Internet] / Security Threat Advisory

Recommended

2015 akamai ir_summit_show_file_v6_unanimated
2015 akamai ir_summit_show_file_v6_unanimated2015 akamai ir_summit_show_file_v6_unanimated
2015 akamai ir_summit_show_file_v6_unanimatednoellefaris
 
Akamai Cloud Security
Akamai Cloud SecurityAkamai Cloud Security
Akamai Cloud SecurityFernando Ike
 
Edge 2014: Bypass Surgery - Akamai's Heartbleed Response Case Study
Edge 2014: Bypass Surgery - Akamai's Heartbleed Response Case StudyEdge 2014: Bypass Surgery - Akamai's Heartbleed Response Case Study
Edge 2014: Bypass Surgery - Akamai's Heartbleed Response Case StudyAkamai Technologies
 
Customer Technology Day Chicago 2015
Customer Technology Day Chicago 2015Customer Technology Day Chicago 2015
Customer Technology Day Chicago 2015Akamai Technologies
 
Edge 2014: Maintaining the Balance: Getting the Most of Your CDN with IKEA
Edge 2014: Maintaining the Balance: Getting the Most of Your CDN with IKEAEdge 2014: Maintaining the Balance: Getting the Most of Your CDN with IKEA
Edge 2014: Maintaining the Balance: Getting the Most of Your CDN with IKEAAkamai Technologies
 
Edge 2014: Increasing Control with Property Manager with eBay
Edge 2014: Increasing Control with Property Manager with eBayEdge 2014: Increasing Control with Property Manager with eBay
Edge 2014: Increasing Control with Property Manager with eBayAkamai Technologies
 
Chicago Tech Day Jan 2015: Hidden Features
Chicago Tech Day Jan 2015: Hidden FeaturesChicago Tech Day Jan 2015: Hidden Features
Chicago Tech Day Jan 2015: Hidden FeaturesAkamai Technologies
 
Chicago Tech Day Jan 2015: Foundry - HTTP2
Chicago Tech Day Jan 2015: Foundry - HTTP2Chicago Tech Day Jan 2015: Foundry - HTTP2
Chicago Tech Day Jan 2015: Foundry - HTTP2Akamai Technologies
 

Recommended

2015 akamai ir_summit_show_file_v6_unanimated
2015 akamai ir_summit_show_file_v6_unanimated2015 akamai ir_summit_show_file_v6_unanimated
2015 akamai ir_summit_show_file_v6_unanimatednoellefaris
 
Akamai Cloud Security
Akamai Cloud SecurityAkamai Cloud Security
Akamai Cloud SecurityFernando Ike
 
Edge 2014: Bypass Surgery - Akamai's Heartbleed Response Case Study
Edge 2014: Bypass Surgery - Akamai's Heartbleed Response Case StudyEdge 2014: Bypass Surgery - Akamai's Heartbleed Response Case Study
Edge 2014: Bypass Surgery - Akamai's Heartbleed Response Case StudyAkamai Technologies
 
Customer Technology Day Chicago 2015
Customer Technology Day Chicago 2015Customer Technology Day Chicago 2015
Customer Technology Day Chicago 2015Akamai Technologies
 
Edge 2014: Maintaining the Balance: Getting the Most of Your CDN with IKEA
Edge 2014: Maintaining the Balance: Getting the Most of Your CDN with IKEAEdge 2014: Maintaining the Balance: Getting the Most of Your CDN with IKEA
Edge 2014: Maintaining the Balance: Getting the Most of Your CDN with IKEAAkamai Technologies
 
Edge 2014: Increasing Control with Property Manager with eBay
Edge 2014: Increasing Control with Property Manager with eBayEdge 2014: Increasing Control with Property Manager with eBay
Edge 2014: Increasing Control with Property Manager with eBayAkamai Technologies
 
Chicago Tech Day Jan 2015: Hidden Features
Chicago Tech Day Jan 2015: Hidden FeaturesChicago Tech Day Jan 2015: Hidden Features
Chicago Tech Day Jan 2015: Hidden FeaturesAkamai Technologies
 
Chicago Tech Day Jan 2015: Foundry - HTTP2
Chicago Tech Day Jan 2015: Foundry - HTTP2Chicago Tech Day Jan 2015: Foundry - HTTP2
Chicago Tech Day Jan 2015: Foundry - HTTP2Akamai Technologies
 
Chicago Tech Day Jan 2015: RWD
Chicago Tech Day Jan 2015: RWDChicago Tech Day Jan 2015: RWD
Chicago Tech Day Jan 2015: RWDAkamai Technologies
 
Marketing Branding Leadership Management Data
Marketing Branding Leadership Management DataMarketing Branding Leadership Management Data
Marketing Branding Leadership Management DataJeff Rosenplot
 
Marketing Branding Leadership Data-Driven
Marketing Branding Leadership Data-DrivenMarketing Branding Leadership Data-Driven
Marketing Branding Leadership Data-DrivenJeff Rosenplot
 
2.1
2.12.1
2.1rakul-oi
 
Mesheuressup
MesheuressupMesheuressup
MesheuressupCatalyse IT
 
10.2
10.210.2
10.2rakul-oi
 
Pertumbuhan tanaman
Pertumbuhan tanamanPertumbuhan tanaman
Pertumbuhan tanamanArifah Trijayanti
 
Slam dunk
Slam dunkSlam dunk
Slam dunkYoshiteru Tani
 
Modeshow le début
Modeshow le débutModeshow le début
Modeshow le débutLedebut
 
Events Specialist-Planner-Meeting & Planning Resume
Events Specialist-Planner-Meeting & Planning ResumeEvents Specialist-Planner-Meeting & Planning Resume
Events Specialist-Planner-Meeting & Planning ResumeLisa Bartolotta
 
Zalig kerstfeest
Zalig kerstfeestZalig kerstfeest
Zalig kerstfeestmoerwijkmorgen
 
Tokyo
TokyoTokyo
TokyoYoshiteru Tani
 
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...Hector Del Castillo, CPM, CPMM
 
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdftrending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdfMintel Group
 
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOnemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOne Monitar
 
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdfGUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdfDanny Diep To
 
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...Operational Excellence Consulting
 
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...Associazione Digital Days
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03DallasHaselhorst
 
BAILMENT & PLEDGE business law notes.pptx
BAILMENT & PLEDGE business law notes.pptxBAILMENT & PLEDGE business law notes.pptx
BAILMENT & PLEDGE business law notes.pptxran17april2001
 
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptxThe Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptxQuiz Club, Indian Institute of Technology, Patna
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxmbikashkanyari
 

More Related Content

Viewers also liked

Marketing Branding Leadership Management Data
Marketing Branding Leadership Management DataMarketing Branding Leadership Management Data
Marketing Branding Leadership Management DataJeff Rosenplot
 
Marketing Branding Leadership Data-Driven
Marketing Branding Leadership Data-DrivenMarketing Branding Leadership Data-Driven
Marketing Branding Leadership Data-DrivenJeff Rosenplot
 
Modeshow le début
Modeshow le débutModeshow le début
Modeshow le débutLedebut
 
Events Specialist-Planner-Meeting & Planning Resume
Events Specialist-Planner-Meeting & Planning ResumeEvents Specialist-Planner-Meeting & Planning Resume
Events Specialist-Planner-Meeting & Planning ResumeLisa Bartolotta
 

Viewers also liked (12)

Chicago Tech Day Jan 2015: RWD
Chicago Tech Day Jan 2015: RWDChicago Tech Day Jan 2015: RWD
Chicago Tech Day Jan 2015: RWD
 
Marketing Branding Leadership Management Data
Marketing Branding Leadership Management DataMarketing Branding Leadership Management Data
Marketing Branding Leadership Management Data
 
Marketing Branding Leadership Data-Driven
Marketing Branding Leadership Data-DrivenMarketing Branding Leadership Data-Driven
Marketing Branding Leadership Data-Driven
 
2.1
2.12.1
2.1
 
Mesheuressup
MesheuressupMesheuressup
Mesheuressup
 
10.2
10.210.2
10.2
 
Pertumbuhan tanaman
Pertumbuhan tanamanPertumbuhan tanaman
Pertumbuhan tanaman
 
Slam dunk
Slam dunkSlam dunk
Slam dunk
 
Modeshow le début
Modeshow le débutModeshow le début
Modeshow le début
 
Events Specialist-Planner-Meeting & Planning Resume
Events Specialist-Planner-Meeting & Planning ResumeEvents Specialist-Planner-Meeting & Planning Resume
Events Specialist-Planner-Meeting & Planning Resume
 
Zalig kerstfeest
Zalig kerstfeestZalig kerstfeest
Zalig kerstfeest
 
Tokyo
TokyoTokyo
Tokyo
 

Recently uploaded

How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...Hector Del Castillo, CPM, CPMM
 
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdftrending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdfMintel Group
 
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOnemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOne Monitar
 
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdfGUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdfDanny Diep To
 
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...Operational Excellence Consulting
 
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...Associazione Digital Days
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03DallasHaselhorst
 
BAILMENT & PLEDGE business law notes.pptx
BAILMENT & PLEDGE business law notes.pptxBAILMENT & PLEDGE business law notes.pptx
BAILMENT & PLEDGE business law notes.pptxran17april2001
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxmbikashkanyari
 
Jewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreJewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreNZSG
 
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxAppkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxappkodes
 
20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdfChris Skinner
 
Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryEffective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryWhittensFineJewelry1
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Anamaria Contreras
 
Unveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesUnveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesDoe Paoro
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdfShaun Heinrichs
 
Excvation Safety for safety officers reference
Excvation Safety for safety officers referenceExcvation Safety for safety officers reference
Excvation Safety for safety officers referencessuser2c065e
 
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...ssuserf63bd7
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environmentelijahj01012
 

Recently uploaded (20)

How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
 
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdftrending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
 
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOnemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
 
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdfGUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
 
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
 
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03
 
BAILMENT & PLEDGE business law notes.pptx
BAILMENT & PLEDGE business law notes.pptxBAILMENT & PLEDGE business law notes.pptx
BAILMENT & PLEDGE business law notes.pptx
 
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptxThe Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
 
Jewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreJewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource Centre
 
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxAppkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptx
 
20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf
 
Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryEffective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.
 
Unveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesUnveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic Experiences
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf
 
Excvation Safety for safety officers reference
Excvation Safety for safety officers referenceExcvation Safety for safety officers reference
Excvation Safety for safety officers reference
 
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environment
 

Xor d do s malware cloud security threat advisory slideshow

  • 2. • The XOR DDoS botnet has produced DDoS attacks from a few Gbps to 150+ Gbps • The gaming sector has been the primary target, followed by educational institutions • The botnet has attacked up to 20 targets per day, 90% of which were in Asia • XOR DDoS is an example of attackers building botnets of Linux systems instead of Windows-based machines • The malware spreads via Secure Shell (SSH) services susceptible to brute-force attacks due to weak passwords What is the XOR DDoS threat 2 / [The State of the Internet] / Security Threat Advisory
  • 3. • Execution requires root privileges • The malware creates two copies of itself: • One copy in the /boot directory with a filename composed of 10 random alpha characters • One copy in /lib/udev with the filename udev. Binary infection indicators 3 / [The State of the Internet] / Security Threat Advisory root@ubuntu:/boot# ls -la | egrep -i “ [a-z]{10}$” -rwxr-x--- 1 root root 619760 Aug 12 07:56 snvnszjeez root@ubuntu:/boot# ls -la /lib/udev/udev -r-------- 1 root root 619760 Aug 12 07:56 /lib/udev/udev
  • 4. • Listing the open files with lsof shows the process that use the malware Binary infection indicators root@ubuntu:/boot# lsof | grep snvnszjee snvnszjee 5671 root cwd DIR 8,1 4096 918696 /home/user/Desktop snvnszjee 5671 root rtd DIR 8,1 4096 2 / snvnszjee 5671 root txt REG 8,1 619760 802459 /boot/snvnszjeez snvnszjee 5671 root 0u CHR 1,3 0t0 5626 /dev/null snvnszjee 5671 root 1u CHR 1,3 0t0 5626 /dev/null snvnszjee 5671 root 2u CHR 1,3 0t0 5626 /dev/null snvnszjee 5671 root 3u sock 0,7 0t0 446764 can’t identify protocol 4 / [The State of the Internet] / Security Threat Advisory
  • 5. • Communications between the C2 and bot occur over TCP port 3502 • The bot registers itself with the C2 using this payload Toolkit analysis 5 / [The State of the Internet] / Security Threat Advisory 17:12:16.984371 IP x.x.x.x.49316 > y.y.y.y.3502: Flags [P.], seq 29:301, ack 1, win 29200, length 272 0x0000: 4500 0138 4a85 4000 4006 8cbf c0a8 ac9e E..8J.@.@....... 0x0010: xxxx xxxx c0a4 0dae 148c 0d91 8b7e 29a8 .............~). 0x0020: 5018 7210 bca1 0000 ab41 3246 4133 3641 P.r......A2FA36A 0x0030: bebe c6ca 071f 7703 6c72 1f75 731e 5124 ......w.lr.us.Q$ 0x0040: 2f24 4b5c 5731 4630 4242 3246 4133 3641 /$KW1F0BB2FA36A 0x0050: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x0060: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x0070: 4141 3935 3458 7008 7442 3246 4133 3641 AA954Xp.tB2FA36A 0x0080: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x0090: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x00a0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x00b0: 4141 3935 3431 771a 7070 0b72 4133 3641 AA9541w.pp.rA36A 0x00c0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x00d0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x00e0: 4141 3935 3431 4630 4242 3246 4133 3641 AA9541F0BB2FA36A 0x00f0: 4141 3935 3431 4659 2028 5a3c 235f 4c30 AA9541FY.(Z<#_L0 0x0100: 2428 4c5b 4452 2453 272a 5e34 2f46 4e26 $(L[DR$S’*^4/FN& 0x0110: 282b 5846 4055 2530 1116 7312 0870 3641 (+XF@U%0..s..p6A 0x0120: 4141 3935 3431 4630 736c 0368 7433 3641 AA9541F0sl.ht36A 0x0130: 4141 3935 3431 4630 AA9541F0
  • 6. Toolkit analysis 6 / [The State of the Internet] / Security Threat Advisory • The decrypted payload consists of the following: • Target IP address (4 bytes) • Target port (2 bytes) • Payload data • DDoS flood: SYN (05) or DNS (04) • If the command is for a DNS flood, the DNS query will be placed after the target port • Size of the payload for the attack
  • 7. DDoS attack payloads • Sample payload of the SYN flood attack traffic captured in a controlled lab environment 7 / [The State of the Internet] / Security Threat Advisory 17:49:33.969933 IP 172.16.108.137.49020 > X.X.X.X.80: Flags [S], seq 3212631378:3212632377, win 65535, options [mss 1460,nop,nop,sackOK], length 999 0x0000: 4500 0417 bf7c 0000 8006 da46 ac10 6c89 E....|.....F..l. 0x0010: XXXX XXXX bf7c 1f90 bf7c dd52 0000 0000 .....|...|.R.... 0x0020: 7002 ffff 663e 0000 0204 05b4 0101 0402 p...f>.......... ... 0x00 filled ... 0x0400: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0410: 0000 0000 0000 00 .......
  • 8. • Sample payload of DNS flood attack DDoS attack payloads 12:14:48.274303 IP 172.16.108.137.18981 > X.X.X.X.53: UDP, length 40 0x0000: 4500 0044 4a25 0000 8011 5366 ac10 6c89 E..DJ%....Sf..l. 0x0010: XXXX XXXX 4a25 0035 0030 cedc 4a25 0120 ....J%.5.0..J%.. 0x0020: 0001 0000 0000 0001 0765 7861 6d70 6c65 .........example 0x0030: 0363 6f6d 0000 0100 0100 0029 1000 0000 .com.......).... 0x0040: 0000 0000 8 / [The State of the Internet] / Security Threat Advisory
  • 9. • Once a flood command is received from the C2, the malware builds a AYN or DNS flood Toolkit analysis 9 / [The State of the Internet] / Security Threat Advisory
  • 10. • Function names build_iphdr and build_tcphdr are associated with building the appropriate TCP/IP headers. • Predefined data structures used include SIZE_TCP_H, SIZE_IP_H with options Recommended DDoS detection methods 10 / [The State of the Internet] / Security Threat Advisory
  • 11. Download the XOR DDoS Security Threat Advisory for full detection and removal recommendations The report covers: • Detailed explanation of threat • Indicators of infection • Payload decryption • Execution paths • Static characteristics • Snort and YARA rules • Foursteps for malware removal Q3 2015 State of the Internet – Security Report 11 / [The State of the Internet] / Security Threat Advisory
  • 12. About stateoftheinternet.com StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats. Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai’s Security Threat Advisories as well as data visualizations and other resources designed to put context around the ever-changing security threats that infect the Internet landscape. 12 / [The State of the Internet] / Security Threat Advisory