How Can You Protect Your Linux Infrastructure From XorDdos Malware

Microsoft has recently published a study on XorDdos malware. The report alarms a drastic rise in the activities of XorDdos malware. According to the report shared by Microsoft, there has been a surge of 254% in the past six months. This shows there is a worst waiting to happen. So, it’s time to learn about the XorDdos malware, its capabilities, infection method, detection, and the most important protection tips. Since the malware targets Linux-based operating systems deployed on cloud infrastructures and Internet of Things (IoT) devices, it is important to protect your Linux infrastructure from XorDdos malware.

Let’s see how to protect your Linux infrastructure from XorDdos malware in this post.

About The XorDdos Malware:

The XorDdos malware is a type of malicious software that is designed to launch distributed denial-of-service (DDoS) attacks. The malware was first discovered in 2014 by the research group MalwareMustDie, and has since been used in a number of high-profile DDoS attacks, including against KrebsOnSecurity, OVH, and Dyn. The malware was named XorDdos as it was active in denial of service activities on Linux infrastructure with the use of XOR function for encrypted communication with its command and control servers.

XorDdos Malware’s Initial Infection Method:

XorDdos malware predominantly targets Secure Shell (SSH) logins. Since SSH is the most commonly used protocol used by administrators for remote access because it allows encrypted communications over insecure networks. XorDdos initially tries to brute force the targets to gather valid login credentials. Once it has valid SSH keys, then it runs a script with root privileges to download and install XorDdos malware on the target device.

The study report describes two of XorDdos’ methods for initial access. The first method involves copying a malicious ELF file to temporary file storage /dev/shm and then running it. Later the files written to the /dev/shm will be deleted during system restart for covert operation.

In the second access method, the malware executes a bash script that performs the below actions.

  1. Identifies the writable directory out of this list:
  • /bin
  • /home
  • /root
  • /tmp
  • /usr

2. Once it identifies the writable directory, it changes to that directory and then downloads the ELF file payload from an external domain ‘hxxp://Ipv4PII_777789ffaa5b68638cdaea8ecfa10b24b326ed7d/1[.]txt‘ using curl command and saves the downloaded file as ygljglkjgfg0.

3. Then the malware makes it executable using the ‘chmod’ command and then executes it. The full technical details are published at this URL, and please visit the post for the original report.

How Can You Protect Your Linux Infrastructure From XorDdos Malware?

There are a number of steps you can take to protect your Linux infrastructure from XorDdos malware:

  1. Block the IoCs across the network: Block all the indicators of compromise on your security defense systems like firewalls, web proxies, Endpoint solutions, network devices, and wherever it is possible to block.
  2. Identify the infected endpoints: Query for the IoCs on your SIEM or any centralized security/log management systems across the network. Isolate or go for reimage process if you see a device associated with the identified IoCs.
  3. Analyze Failed Logins: Since XorDdos malware primarily performs SSH brute force on Linux machines, it is good to capture all the login failed events and analyze them to locate malicious activity related to XorDdos malware.
  4. Keep your operating system and software up to date: Make sure you are running the latest version of your operating system, as well as all security updates. This will help to ensure that your server is not vulnerable to known exploits.
  5. Harden your server: There are a number of ways to harden your server, such as disabling unneeded services and using a firewall.
  6. Use a DDoS protection service: A DDoS protection service can help to identify and filter out malicious traffic before it reaches your server.
  7. Monitor your network traffic: Monitoring your network traffic can help you to identify unusual or suspicious activity.

Microsoft created a Microsoft 365 Defender query for advanced detections. Run this query in Microsoft Defender Security Center to hunt the malware:

DeviceLogonEvents
| where InitiatingProcessFileName == "sshd"
    and ActionType == "LogonFailed"
| summarize count() by dayOfYear = datetime_part("dayOfYear", Timestamp)
| sort by dayOfYear
| render linechart

IoCs Of XorDdos Malware:

Please see the captured IoCs of XorDdos malware:

File information

File name: HFLgGwYfSC.elf
File size: 611.22 KB (625889 bytes)
Classification: DoS:Linux/Xorddos.A
MD5: 2DC6225A9D104A950FB33A74DA262B93
Sha1: F05194FB2B3978611B99CFBF5E5F1DD44CD5E04B
Sha256: F2DF54EB827F3C733D481EBB167A5BC77C5AE39A6BDA7F340BB23B24DC9A4432
File type: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped
First submission in VT: 2022-01-25 05:32:10 UTC

Dropped files

Dropped file path File type SHA-256
/etc/init.d/HFLgGwYfSC.elf Shell Script 6E506F32C6FB7B5D342D1382989AB191C6F21C2D311251D8F623814F468952CF
/etc/cron.hourly/gcc.sh Shell Script CBB72E542E8F19240130FC9381C2351730D437D42926C6E68E056907C8456459
/lib/libudev.so ELF F2DF54EB827F3C733D481EBB167A5BC77C5AE39A6BDA7F340BB23B24DC9A4432
/run/gcc.pid Text 932FEEF3AB6FCCB3502F900619B1F87E1CB44A7ADAB48F2C927ECDD67FF6830A
/usr/bin/djtctpzfdq ELF 53F062A93CF19AEAA2F8481B32118A31B658A126624ABB8A7D82237884F0A394
/usr/bin/dmpyuitfoq ELF 798577202477C0C233D4AF51C4D8FB2F574DDB3C9D1D90325D359A84CB1BD51C
/usr/bin/fdinprytpq ELF 2B4500987D50A24BA5C118F506F2507362D6B5C63C80B1984B4AE86641779FF3
/usr/bin/jwvwvxoupv ELF 359C41DA1CBAE573D2C99F7DA9EEB03DF135F018F6C660B4E44FBD2B4DDECD39
/usr/bin/kagbjahdic ELF E6C7EEE304DFC29B19012EF6D31848C0B5BB07362691E4E9633C8581F1C2D65B
/usr/bin/kkldnszwvq ELF EF0A4C12D98DC0AD4DB86AADD641389C7219F57F15642ED35B4443DAF3FF8C1E
/usr/bin/kndmhuqmah ELF B5FBA27A8E457C1AB6573C378171F057D151DC615D6A8D339195716FA9AC277A
/usr/bin/qkxqoelrfa ELF D71EA3B98286D39A711B626F687F0D3FC852C3E3A05DE3F51450FB8F7BD2B0D7
/usr/bin/sykhrxsazz ELF 9D6F115F31EE71089CC85B18852974E349C68FAD3276145DAFD0076951F32489
/usr/bin/tcnszvmpqn ELF 360A6258DD66A3BA595A93896D9B55D22406D02E5C02100E5A18382C54E7D5CD
/usr/bin/zalkpggsgh ELF DC2B1CEE161EBE90BE68561755D99E66F454AD80B27CEBE3D4773518AC45CBB7
/usr/bin/zvcarxfquk ELF 175667933088FBEBCB62C8450993422CCC876495299173C646779A9E67501FF4
/tmp/bin/3200 ELF(rootkit) C8F761D3EF7CD16EBE41042A0DAF901C2FDFFCE96C8E9E1FA0D422C6E31332EA

Download URLs

  • www[.]enoan2107[.]com:3306
  • www[.]gzcfr5axf6[.]com:3306
  • hxxp://aa[.]hostasa[.]org/config.rar

Conclusion

XorDdos is a malware that allows attackers to launch distributed denial of service (DDoS) attacks. In order to protect your Linux infrastructure from XorDdos malware, you should keep your operating system and software up to date, harden your server, use a DDoS protection service, and monitor your network traffic.

We hope this post will help you know how to protect your Linux infrastructure from XorDdos malware. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/270223.html

(0)
上一篇 2022年6月24日
下一篇 2022年6月24日

相关推荐

发表回复

登录后才能评论