china.z / trojan.xorddos - analysis of a hack
TRANSCRIPT
Disclaimer• Initial evidence pointed to abuse of ShellShock –
China.Z• More detailed investigation pointed to bruteforce
attack on SSH root passwords• ClamAV confirmed this by finding XorDDOS
The host• Debian Wheezy 64-bit
– With all updates– Bash 4.2.37(1) – should be OK
• LAMP• Firewall configured
– Incoming allowed: HTTP, SSH, phpMyAdmin– Any outgoing
• Public IP (Monitored by hosting company)• No FQDN (yet)• No activity (yet)• Console (VNC) access
The Symptoms• 100% CPU usage• Network access disabled due to DDoS Activity
The Symptoms• 1 Process taking all resources
– Executable with randomized filename• Startup script for file• Nothing in command history• No apparent leftover files• No apparent hosting of malware / other• Root password still works• Client connection on random port• Server connection listening on random port
Initial Troubleshooting• Kill process
– New process recreated automatically with randomized filename. Startup script recreated.
– New randomized port server & client started• Delete executable
– New process recreated automatically with randomized filename. Startup script recreated. Executable recreated.
– New randomized port server & client started• Block server & client ports (iptables)
– New randomized port server & client started• Backup executable & startup script• Backup command history• Backup Logfiles (HTTP as first guess)
– /var/log/apache
Troubleshooting – Step 2• Review logs
– HTTP log shows port scan– HTTP log shows attack
• Dump last changed files– find / -mtime -10 | grep –v dev | grep –v proc > recent_files.txt
• Review recently modified files– /etc/cron.hourly/*loader*.sh– /etc/crontab (running *loader*)– /bin/*loader* (disguised as library)– /bin/*process* (randomized name)– /etc/init.d/*process* (randomized name)– /etc/rc?.d/S02*process* (randomized name)
Troubleshooting – Juicy Bits• Portscan before and after attack
Troubleshooting – Juicy Bits• Attack was not targetting CGI scripts
– Initial approach with ShellShock• Attack shows signature
– “China.Z”
Troubleshooting – Step 3• Attacked used wget
– Removed wget• Backup of cron scripts & executable
– Removed files• Hard shutdown• Startup in single mode *fingers crossed*
– No trojan• Disable network
Troubleshooting – Step 4• Double-check bootscripts• Double-check netstat• Double-check logs• Disable Apache• Disable SSH• Installed & ran ClamAV
– Cleaned up everything• Apply modsecurity• Enable all & reboot• *Fingers crossed*
Recommendations• Apply latest updates• Patch bash• Run bash in privileged mode• Limit incoming traffic (iptables) – DUH!• Limit outgoing traffic (iptables)• Block 121.12.168.0/21 & others (check logs)• Apply mod_security rules
– OWASP• Get rid of wget if you don’t need it• Scan your system - ClamAV• Run Vulnerability tests!
Scan Results• ClamAV Detects trojan as Linux.Trojan.Xorddos• Brute force SSH password approach
UPDATE!
UPDATE!Recommendations
• Check /var/log/auth• Restrict root login on SSH• Restrict SSH access to limited Ips• Set up reverse SSH tunnels• Use shared keys• Update passwords
UPDATE!More reading – XorDDOS
• Fuzzy reversing a new China ELF "Linux/XOR.DDoS"– http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-
fuzzy-reversing-new-china.html• Linux DDoS Trojan hiding itself with an embedded rootkit
– https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/
• DDoS Malware for Linux Distributed via SSH Brute Force Attacks– http://www.securityweek.com/ddos-malware-linux-distributed-
ssh-brute-force-attacks• Symantec: Linux.Xorddos
– http://www.symantec.com/security_response/writeup.jsp?docid=2015-010823-3741-99
More reading – China.Z• New ELF Malware on ShellShock
– http://blog.malwaremustdie.org/2015/01/mmd-0030-2015-new-elf-malware-on.html
• ShellShock Deception with Echo– http://neonprimetime.blogspot.be/2015/03/shellshock-deceptio
n-with-echo.html• Analysis of China.Z
– http://users.jyu.fi/~sapekiis/china-z/index.html
More reading - ShellShock• Debian Announcement on ShellShock
– https://lists.debian.org/debian-security-announce/2014/msg00220.html
• Using ModSecurity to prevent ShellShock– https://access.redhat.com/articles/1212303
• How ShellShock can be exploited– http://security.stackexchange.com/questions/68122/what-is-a-
specific-example-of-how-the-shellshock-bash-bug-could-be-exploited
• Inside ShellShock– https://blog.cloudflare.com/inside-shellshock/
• Mitigating the ShellShock Vulnerability– https://access.redhat.com/articles/1212303