{"id":7586,"date":"2015-02-06T12:30:03","date_gmt":"2015-02-06T17:30:03","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=7586"},"modified":"2015-02-06T12:30:03","modified_gmt":"2015-02-06T17:30:03","slug":"sneaky-linux-malware-comes-with-sophisticated-custom-built-rootkit","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2015\/02\/06\/sneaky-linux-malware-comes-with-sophisticated-custom-built-rootkit\/","title":{"rendered":"Sneaky Linux malware comes with sophisticated custom-built rootkit"},"content":{"rendered":"<p style=\"text-align:center;\"><a href=\"http:\/\/www.pcworld.com\/article\/2881152\/ddos-malware-for-linux-systems-comes-with-sophisticated-custombuilt-rootkit.html\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/02\/angry-linux-100535581-large.png\" alt=\"\" \/><\/a><\/p>\n<p>A malware program designed for Linux systems, including embedded devices with ARM architecture, uses a sophisticated kernel rootkit that\u2019s custom built for each infection.<\/p>\n<p>The malware, known as XOR.DDoS, was first spotted in September by security research outfit Malware Must Die. However, it has since evolved and new versions were seen in the wild as recently as Jan. 20, according to a new report Thursday from security firm FireEye, which analyzed the threat in detail.<\/p>\n<p>XOR.DDoS is installed on targeted systems via SSH (Secure Shell) brute-force attacks launched primarily from Internet Protocol (IP) addresses registered to a Hong Kong-based company called Hee Thai Limited.<\/p>\n<p>The attacks attempt to guess the password for the root account by using different dictionary-based techniques and password lists from past data breaches. FireEye observed well over 20,000 SSH login attempts per targeted server within a 24-hour period and more than 1 million per server between mid-November and end of January.<\/p>\n<p>When the attackers manage to guess the root password they send a complex SSH remote command\u2014sometimes over 6,000 characters long\u2014that consists of multiple shell commands separated by semicolons. These commands download and execute various scripts as part of a sophisticated infection chain that relies on an on-demand malware building system.<\/p>\n<p>The use of SSH remote commands is significant because OpenSSH does not log such commands, \u201ceven when logging is configured to the most verbose setting,\u201d the FireEye researchers said. \u201cSince a remote command doesn\u2019t create a terminal session, TTY logging systems also do not capture these events. Both the last and lastlog commands, which display listings of recent logins, are also blind.\u201d<\/p>\n<p>The initial scripts harvest Linux kernel headers from infected systems and also extract the \u201cvermagic\u201d string from the existing loadable kernel modules (LKMs). This information is sent back to attacker-controlled servers and is used to automatically build rootkits that function as LKMs and are customized for each infected system.<\/p>\n<p>This sophisticated on-demand build infrastructure automates the creation of LKM rootkits for different kernels and architectures as each LKM needs to be compiled for the particular kernel it\u2019s intended to run on.<\/p>\n<p>linux attack rore via Flickr\/Creative Commons<\/p>\n<p>\u201cUnlike Windows, which has a stable kernel API allowing for the creation of code that is portable between kernel versions, the Linux kernel lacks such an API,\u201d the FireEye researchers said. \u201cSince the kernel\u2019s internals change from version to version, a LKM must be binary compatible with the kernel.\u201d<\/p>\n<p>The rootkit\u2019s goal is to hide the processes, files and ports associated with XOR.DDoS, a malware program that\u2019s also installed on the compromised systems and is primarily used by attackers to launch distributed denial-of-service (DDoS) attacks.<\/p>\n<p>\u201cUnlike typical straightforward DDoS bots, XOR.DDoS is one of the more sophisticated malware families to target the Linux OS,\u201d the FireEye researchers said. \u201cIt\u2019s also multi-platform, with C\/C++ source code that can be compiled to target x86, ARM and other platforms.\u201d<\/p>\n<p>XOR.DDoS can also download and execute arbitrary binary files, which gives it the ability to update itself. FireEye observed two major versions of XOR.DDoS so far, the second one being first spotted at the end of December.<\/p>\n<p>Networking and embedded devices are more likely to be vulnerable to SSH brute force attacks and it might not be possible for end-users to easily protect them, the FireEye researchers said.<\/p>\n<p>There are many embedded devices that are configured for remote administration and are accessible over the Internet. In 2012, an anonymous researcher was able to hijack 420,000 such devices that had default or no telnet login passwords. He used them to scan the entire Internet as part of a research project that became known as the Internet Census 2012.<\/p>\n<p>The number of devices that are accessible via SSH and use weak passwords that would be vulnerable to complex brute-force attacks like the ones used by the XOR.DDoS gang, is likely to be much higher.<\/p>\n<p>If possible, the SSH servers on these devices should be configured to use cryptographic keys instead of passwords for authentication and remote login should be disabled for their root accounts, the FireEye researchers said. \u201cHome and small business users can install the open source fail2ban utility, which works with iptables to detect and block brute force attacks.\u201d<\/p>\n<p>Full Story: <a href=\"http:\/\/www.pcworld.com\/article\/2881152\/ddos-malware-for-linux-systems-comes-with-sophisticated-custombuilt-rootkit.html\" target=\"_blank\">Sneaky Linux malware comes with sophisticated custom-built rootkit | PCWorld<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A malware program designed for Linux systems, including embedded devices with ARM architecture, uses a sophisticated kernel rootkit that\u2019s custom [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[4,7],"tags":[655,1022,1262],"class_list":["post-7586","post","type-post","status-publish","format-standard","hentry","category-linux","category-security","tag-malware","tag-ssh","tag-xor-ddos"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-1Ym","jetpack-related-posts":[{"id":119,"url":"https:\/\/nccomputertech.com\/techtalk\/2012\/11\/28\/new-linux-rootkit-injects-malicious-html-into-web-servers\/","url_meta":{"origin":7586,"position":0},"title":"New Linux rootkit injects malicious HTML into Web servers","author":"NCCT","date":"November 28, 2012","format":false,"excerpt":"A newly discovered form of malware that targets Linux servers acting as Web servers allows an attacker to directly inject code into any page on infected servers\u2014including error pages. The rootkit, which was first publicly discussed on the Full Disclosure security e-mail list on November 13, appears to be crafted\u2026","rel":"","context":"In &quot;Networking&quot;","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6960,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/11\/25\/stealthy-sophisticated-regin-malware-has-been-infecting-computers-since-2008\/","url_meta":{"origin":7586,"position":1},"title":"Stealthy, sophisticated &#8216;Regin&#8217; malware has been infecting computers since 2008","author":"NCCT","date":"November 25, 2014","format":false,"excerpt":"Symantec researchers have identified a particularly sophisticated piece of malware, called \u201cRegin\u201d that was likely developed by a nation state and has been used to spy on governments, infrastructure operators, businesses, researchers and individuals since at least 2008. \u201cRegin displays a degree of technical competence rarely seen,\u201d Symantec said in\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3156,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/09\/hand-of-thief-banking-trojan-doesnt-do-windows-but-it-does-linux\/","url_meta":{"origin":7586,"position":2},"title":"\u201cHand of Thief\u201d banking trojan doesn\u2019t do Windows\u2014but it does Linux","author":"NCCT","date":"August 9, 2013","format":false,"excerpt":"Signaling criminals' growing interest in attacking non-Windows computers, researchers have discovered banking fraud malware that targets people using the open-source Linux operating system. Hand of Thief, which was recently discovered by researchers from security firm RSA, sells for about $2,000 in underground Internet forums and boasts its own support and\u2026","rel":"","context":"In &quot;Linux&quot;","block_context":{"text":"Linux","link":"https:\/\/nccomputertech.com\/techtalk\/category\/linux\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2013\/08\/hand-of-thief-640x294.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2013\/08\/hand-of-thief-640x294.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2013\/08\/hand-of-thief-640x294.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":6142,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/08\/06\/department-of-homeland-security-warns-retailers-of-backoff-pos-malware-techspot\/","url_meta":{"origin":7586,"position":3},"title":"Department of Homeland Security warns retailers of &#8216;Backoff&#8217; POS malware &#8211; TechSpot","author":"NCCT","date":"August 6, 2014","format":false,"excerpt":"The Department of Homeland Security yesterday issued an alert about a point-of-sale malware that was used in a string of recent attacks by cyber criminals. Dubbed Backoff, the malware has been witnessed on at least three separate forensic investigations since late 2013 and continues to operate today. According to US-CERT,\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3106,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/05\/attackers-reported-seeding-cloud-services-with-malware\/","url_meta":{"origin":7586,"position":4},"title":"Attackers reported seeding cloud services with malware","author":"NCCT","date":"August 5, 2013","format":false,"excerpt":"LAS VEGAS -- Malware writers are ramping up their use of commercial file hosting sites and cloud services to distribute malware programs, security researchers said at this week's Black Hat conference here. Traditionally, malware writers had distributed their malicious code from their own sites. But as security vendors get better\u2026","rel":"","context":"In &quot;Networking&quot;","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5989,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/15\/us-secret-service-warns-of-keyloggers-on-public-hotel-computers\/","url_meta":{"origin":7586,"position":5},"title":"US Secret Service warns of keyloggers on public hotel computers","author":"NCCT","date":"July 15, 2014","format":false,"excerpt":"The US Secret Service has warned users of hotel business centers that public PCs may be targeted by hackers, with the intent on stealing personal and business information. An advisory posted by the service, in collaboration with the National Cybersecurity and Communications Integration Center (NCCIC) warned that the hospitality sector,\u2026","rel":"","context":"In &quot;Networking&quot;","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/07\/hotel-hero-620x379.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/07\/hotel-hero-620x379.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/07\/hotel-hero-620x379.jpg?resize=525%2C300 1.5x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/7586","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=7586"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/7586\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=7586"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=7586"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=7586"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}