Kατεβάσετε την εφαρμογή android του blog! DownLoad

#44 Patch for the Linux/XOR.DDoS rootkit

Written By Fouls Code on Τρίτη, 7 Φεβρουαρίου 2017 | Φεβρουαρίου 07, 2017




Hello all,



I have created a patch to identify the XOR.DDoS rootkit that is used on botnets to take down sites with massive DDoS attacks.

https://en.wikipedia.org/wiki/Rootkit
https://en.wikipedia.org/wiki/Xor_DDoS

It will patch two files:

1 - backdoorports.dat

Creates an entry on the backdoorports.dat file that reports the port 3205 as a possible presence of the threat, that connect to the botnet's CC.

2 - rkhunter

It creates a list with the main files used by the rootkit to the do_system_check_initialization function and register the test on the rootkit_file_dir_checks.

There is also a XOR key and some other hardcoded strings that would help to identify other files with random names, however, I could not figure out where/how the string based test really is on rkhunter, so decided to provide these initial tests and improve the detection later as some detection is better than none.

The detection is based on the reports made by:

Malware Must Die

http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html

Akamai

https://www.stateoftheinternet.com/resources-web-security-threat-advisories-2015-xor-ddos-attacks-linux-botnet-malware-removal-ddos-mitigation-yara-snort.html

Avast

https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/

I have tested the patch and it worked well, you can see on the following images





1 Attachments

rkhunter.patch

Discussion

0 σχόλια:

Δημοσίευση σχολίου

 
berita unik