Web Analytics Made Easy - StatCounter
#44 Patch for the Linux/XOR.DDoS rootkit
Προσαρμοσμένη Αναζήτηση

7 Φεβρουαρίου 2017

#44 Patch for the Linux/XOR.DDoS rootkit

Hello all,

I have created a patch to identify the XOR.DDoS rootkit that is used on botnets to take down sites with massive DDoS attacks.


It will patch two files:

1 - backdoorports.dat

Creates an entry on the backdoorports.dat file that reports the port 3205 as a possible presence of the threat, that connect to the botnet's CC.

2 - rkhunter

It creates a list with the main files used by the rootkit to the do_system_check_initialization function and register the test on the rootkit_file_dir_checks.

There is also a XOR key and some other hardcoded strings that would help to identify other files with random names, however, I could not figure out where/how the string based test really is on rkhunter, so decided to provide these initial tests and improve the detection later as some detection is better than none.

The detection is based on the reports made by:

Malware Must Die






I have tested the patch and it worked well, you can see on the following images

1 Attachments



Μόνιμος σύνδεσμος

HTML link code:
BB (forum) link code:

Δεν υπάρχουν σχόλια: