Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The newly discovered 'XOR.DDoS trojan infects Linux systems to possibly build an


  • Please log in to reply
13 replies to this topic

#1 old rocker

old rocker

  • Members
  • 476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:East Tennessee
  • Local time:05:42 AM

Posted 08 January 2015 - 07:21 PM

http://www.scmagazine.com/malware-targets-linux-and-arm-architecture/article/391497/



BC AdBot (Login to Remove)

 


#2 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,253 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:07:42 PM

Posted 08 January 2015 - 07:36 PM

 

Installation Script & Infection Vector

The infection starts by an attempt to brute force SSH login credentials of the root user. If successful, attackers gain access to the compromised machine, then install the Trojan usually via a shell script. The script contains procedures like main, check, compiler, uncompress, setup, generate, upload, checkbuild, etc. and variables like __host_32__, __host_64__, __kernel__, __remote__, etc. The main procedure decrypts and selects the C&C server based on the architecture of the system.

In the requests below, iid parameter is the MD5 hash of the name of the kernel version. The script first lists all the modules running on the current system by the command lsmod. Then it takes the last one and extracts its name and the parameter vermagic. In one of our cases, the testing environment runs under “3.8.0-19-generic\ SMP\ mod_unload\ modversions\ 686\ “, which has the MD5 hash equal to CE74BF62ACFE944B2167248DD0674977. 

Three GET requests are issued to C&C. The first one is performed by the check procedure (note the original misspelling):

Read more here.

https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/#more-33072


Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#3 mremski

mremski

  • Members
  • 495 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:05:42 AM

Posted 09 January 2015 - 10:48 AM

Nick that's good info in what you pointed to.  Implies that if you are running sshd, having PermitRootLogin = no should prevent it (means normal user and sudo is needed) then if your system is not being updated, set a bunch of directories ro (like /etc on down, /lib/modules, probably others).  It would also be interesting to see what the attack vector would do on a SELinux enabled system.


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#4 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:05:42 AM

Posted 10 January 2015 - 10:07 PM

If you also have an SSH server running make sure to set up key authentication with a strong password, then turn off just password authentication. This forces SSH to authentic witht the public/private keys you set up. Makes it next to impossible to brute force since the attacker won't have the appropriate key and the system will just drop the connection.

OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#5 Zach6656

Zach6656

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:42 AM

Posted 10 January 2015 - 11:27 PM

GAH! i just set up dual boot on my acer ao722 and i cant get a virus... no no nope no no NO!


always use DD-WRT for all your routers, if you cant get it for them, throw them away


#6 Zach6656

Zach6656

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:42 AM

Posted 10 January 2015 - 11:34 PM

great... this also means that my routers are at risk too -_- and my tablet... and my iphone and anything else android, ios, or linux we own (just realized that this includes PS3's PS4's smart Tv's Blu-ray players and most open source project boards [RPI,BPI,BBone etc])


ugh


always use DD-WRT for all your routers, if you cant get it for them, throw them away


#7 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,253 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:07:42 PM

Posted 10 January 2015 - 11:35 PM

Something like this?
 

 

Contents edited

vgn4i9.png


Edited by NickAu, 11 January 2015 - 02:20 AM.

Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#8 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:05:42 AM

Posted 11 January 2015 - 07:48 PM

Something like this?
 

 
Contents edited
vgn4i9.png


Yup. Key authentication is important for SSH.

OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#9 bmike1

bmike1

  • Members
  • 596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gainesville, Florida, USA
  • Local time:05:42 AM

Posted 11 January 2015 - 08:13 PM

great... this also means that my routers are at risk too -_- and my tablet... and my iphone and anything else android, ios, or linux we own (just realized that this includes PS3's PS4's smart Tv's Blu-ray players and most open source project boards [RPI,BPI,BBone etc])


ugh

 

Just don't put simple passwords on your systems. as for things you don't put passwords on what can they do with a blue-ray player?

 

here is a recommendation for a password. an old phone number with the special characters and your initials.  that is, at the least, 15 characters which  would take forever to figure out with brute force.


Edited by bmike1, 11 January 2015 - 08:31 PM.

A/V Software? I don't need A/V software. I've run Linux since '98 w/o A/V software and have never had a virus. I never even had a firewall until '01 when I began to get routers with firewalls pre installed. With Linux if a vulnerability is detected a fix is quickly found and then upon your next update the vulnerability is patched.  If you must worry about viruses  on a Linux system only worry about them in the sense that you can infect a windows user. I recommend Linux Mint or, if you need a lighter weight operating system that fits on a cd, MX14 or AntiX.


#10 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,015 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:42 AM

Posted 15 January 2015 - 01:47 AM

 

 

here is a recommendation for a password. an old phone number with the special characters and your initials.  that is, at the least, 15 characters which  would take forever to figure out with brute force.

 

I do this also, just not on my bank & other transaction accounts. 

 

Old phone numbers from years ago is a great foundation for an easy to remember, yet complex password. I'll always add a few of these in the mix for a strong password ~!@#$%^&*()_+. Just adding one makes a dictionary attack hard, adding a couple more makes a brute force attack literally impossible, making the attacker move on to easier pickings. 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#11 bmike1

bmike1

  • Members
  • 596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gainesville, Florida, USA
  • Local time:05:42 AM

Posted 15 January 2015 - 03:37 AM

 

I do this also, just not on my bank & other transaction accounts. 

 

 

Why not? '(xxx)xxx-xxxxinitials' is an uncrackable password. To make it even more so do it a second time in reverse order. there are so many easy to remember ways to do impenetrable passwords. To use the same password yet make it different put your initials somewhere else or use another character for the parentheses/dashes... or do both! It is up to you how paranoid you are.


Edited by bmike1, 15 January 2015 - 03:49 AM.

A/V Software? I don't need A/V software. I've run Linux since '98 w/o A/V software and have never had a virus. I never even had a firewall until '01 when I began to get routers with firewalls pre installed. With Linux if a vulnerability is detected a fix is quickly found and then upon your next update the vulnerability is patched.  If you must worry about viruses  on a Linux system only worry about them in the sense that you can infect a windows user. I recommend Linux Mint or, if you need a lighter weight operating system that fits on a cd, MX14 or AntiX.


#12 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,253 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:07:42 PM

Posted 15 January 2015 - 03:41 AM

If you want to see how strong the passwords you use are, Try GRC haystack

https://www.grc.com/haystack.htm

 

This is an example of the types of passwords I use. Password edited out.

2cpqkop.png

 

 

And there is a password generator here.

https://www.grc.com/passwords.htm


Edited by NickAu, 15 January 2015 - 03:42 AM.

Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#13 bmike1

bmike1

  • Members
  • 596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gainesville, Florida, USA
  • Local time:05:42 AM

Posted 15 January 2015 - 03:57 AM

I edited the post you are responding too. In any case this is what it says about the simple version of my password:

 

Online Attack Scenario:
(Assuming one thousand guesses per second) 64.65 billion centuries

Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 6.46 hundred centuries

Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 64.65 years
 

 

I feel safe.


Edited by bmike1, 15 January 2015 - 04:07 AM.

A/V Software? I don't need A/V software. I've run Linux since '98 w/o A/V software and have never had a virus. I never even had a firewall until '01 when I began to get routers with firewalls pre installed. With Linux if a vulnerability is detected a fix is quickly found and then upon your next update the vulnerability is patched.  If you must worry about viruses  on a Linux system only worry about them in the sense that you can infect a windows user. I recommend Linux Mint or, if you need a lighter weight operating system that fits on a cd, MX14 or AntiX.


#14 mremski

mremski

  • Members
  • 495 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:05:42 AM

Posted 15 January 2015 - 08:22 AM

Nick, another good link.  I've seen references to that site a bunch of places, I think even referenced in a book about hacking the WRT54G.  It's good for setting up strong WiFi protections.


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users