#44 Patch for the Linux/XOR.DDoS rootkit
Hello all,
I have created a patch to identify the XOR.DDoS rootkit that is used on botnets to take down sites with massive DDoS attacks.
https://en.wikipedia.org/wiki/Rootkit
https://en.wikipedia.org/wiki/Xor_DDoS
https://en.wikipedia.org/wiki/Xor_DDoS
It will patch two files:
1 - backdoorports.dat
Creates an entry on the backdoorports.dat file that reports the port 3205 as a possible presence of the threat, that connect to the botnet's CC.
2 - rkhunter
It creates a list with the main files used by the rootkit to the do_system_check_initialization function and register the test on the rootkit_file_dir_checks.
There is also a XOR key and some other hardcoded strings that would help to identify other files with random names, however, I could not figure out where/how the string based test really is on rkhunter, so decided to provide these initial tests and improve the detection later as some detection is better than none.
The detection is based on the reports made by:
Malware Must Die
http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html
Akamai
https://www.stateoftheinternet.com/resources-web-security-threat-advisories-2015-xor-ddos-attacks-linux-botnet-malware-removal-ddos-mitigation-yara-snort.html
Avast
https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/
I have tested the patch and it worked well, you can see on the following images


1 Attachments
rkhunter.patch
Discussion
1 - backdoorports.dat
Creates an entry on the backdoorports.dat file that reports the port 3205 as a possible presence of the threat, that connect to the botnet's CC.
2 - rkhunter
It creates a list with the main files used by the rootkit to the do_system_check_initialization function and register the test on the rootkit_file_dir_checks.
There is also a XOR key and some other hardcoded strings that would help to identify other files with random names, however, I could not figure out where/how the string based test really is on rkhunter, so decided to provide these initial tests and improve the detection later as some detection is better than none.
The detection is based on the reports made by:
Malware Must Die
http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html
Akamai
https://www.stateoftheinternet.com/resources-web-security-threat-advisories-2015-xor-ddos-attacks-linux-botnet-malware-removal-ddos-mitigation-yara-snort.html
Avast
https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/
I have tested the patch and it worked well, you can see on the following images


1 Attachments
rkhunter.patch
Discussion
Κατηγορίες:
Σχόλια