Saturday, June 20, 2015

Introduction to Linux ELF DDoS'er Malware & Family

Introduction to Linux ELF DDoS'er Malware & Family

ELF is the Linux Malware which is specifically developed to perform DDOS attacks against the Target.
We will learn more about the ELF malware and its Family, let`s start with some basic Introductions.

About Linux Malware:
Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux operating system. Linux, UNIX and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.
Here has not yet been a single widespread Linux virus/malware infection of the type that is common on Microsoft Windows; this is attributable generally to the malware's lack of root access and fast updates to most Linux vulnerabilities.

History about Linux Malware:
In Old Days it was common that malware targeting windows  or even OS X, security threat to linux have become both more numerous and more severe in recent years.
There are couple of reason for the same :
The mobile explosion has meant that Android (which is Linux-based) is among the most attractive targets for malicious hackers.
·   The use of Linux as a server OS for and in the data center has also grown
 But Linux malware has been around in some form since well before the turn of the century.

Intro to ELF Malware:

ELF malware developed to infect server, mobile as well as embedded.




Malware of target to Linux system becomes too large to ignore
·         In virustotal statistics approx. 127,385 ELF binaries has submitted during the week of 2015/01/19
·         Approx. 2,722,106 Win32 binaries has submitted in the same week
·         Note:  Not all ELF binaries are malware

From malwaremustdie blog report, the threat is verdicted to be originated from China:
·    The source binary data contains China specific details.
·         Attacker IP address during attempt to infect are mostly (98%) originated from China network.
·    Panels served by ELF malware be downloaded during infection, are located in China network (98%)
·    CNC server used for downloading config or used for remote attack (92%)

Trends in Linux Malware :
ELF malware are not sophisticated yet unlike windows malware
·         Today, antivirus vendor endeavour to raise detection rate of ELF malware
·         “Google's Virustotal puts Linux malware under the spotlight” http://www.zdnet.com/article/googles-virustotal-puts-linux-malwareunder-the-spotlight/ • On the other hand, Several ELF malware has execution portability – It is unique perspective in Linux system

The distributed malware are separated into 3 categories:
1. "Elknot" variants, technical information
2. "AES.DDoS", technical information
3. ".IptabLes|x", technical information
4. "BillGates", technical information
5. (NEW) "GoARM.Bot", technical information
6. "XOR.DDoS", technical information

  Introduction of ELF Malware Family:
1. IptabLes/IptabLex
This infection is observed around 2013~ and a minute report submitted by AKAMAI in 2014.
· The malware infect using vulnerabilities of open source software such as Apache Struts, Tomcat and Elasticsearch.
· Exploiting newest vulnerabilities.
Some malware store itself in /boot with the name “.Iptables” or “.Iptablex”

2.  XOR.DDoS
This infection is observed around 2014~.
The malware contains LKMLinux Kernel Module) rootkits
 –Based on “Suterusu” open source LKM rootkit
The special future of XOR.DDoS ELF malware is, it hiding processes, files and other malware             activity from security services and administrators.

3. AES.DDoS
This infection is observed around 2014~.
An ELF malware is available for several architectures
· EM_386, EM_x86_64, EM_MIPS, EM_ARM, PE x86
· A MIPS architecture often used to router • Targets of this malware are a wide variety of systems such as desktop, mobile, routers and IoT devices.

4. ChinaZ
This infection is observed around 2015~.
This malware is spread all over the world by triggering Shell Shock vulnerability.
The malware analysed was compiled with aiming NIX base routers/servers, with these OS & CPU architectures:
1. Intel x32 (Linux / FreeBSD)
2. Intel x64 (Linux / FreeBSD)
3. AMD x64 (Linux)
4. ARM (Linux)
5. MIPS (Linux)
6. (NEW) PPC (Linux)

Note:
(NEW) The Windows version of the same DDoSer was started to be detected in Mid October 2014.
Samples: [http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3468#p24160]
  [http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3468#p24152]

PoC, Evidence contribution From MalwareMustDie
1. https://www.youtube.com/watch?v=JjtOUto9Sr8
2. https://www.youtube.com/watch?v=z6MdtFck6x4
3. https://www.youtube.com/watch?v=sdKCjbrs5uQ
4. https://www.youtube.com/watch?v=YtxaT1rahY8
5. https://www.youtube.com/watch?v=OcOiuxAtbOk

Illustration of "Volume & Combination" in its distribution
In a panel served with ELF malware, China DDoS'er crooks is distributing quite big amount of downloads (even we are assuming 70% downloads are for infection), as per seen in one panel snapshot picture below:


In a panel we often spotted the China crook is mixing the type of malware, as per seen in the PoC below:

Mixing samples PoC:↓


Recent ELF samples we collected & analyzed for the past one month:
(There are a lot more than these & are still coming)

China ELF DDoS'er download panels list:
h00p://192.169.219.22:280/
h00p://222.186.42.31:7019/
h00p://183.136.214.14:12345/
h00p://183.60.202.58:5147/
h00p://124.173.118.167:41235/
h00p://222.186.58.146:81/
h00p://183.60.202.58:5147/
h00p://222.186.58.146:81/
h00p://118.123.119.14:3543/
h00p://116.255.162.80:3322/
h00p://104.194.25.172/
h00p://218.244.148.150:24/
h00p://104.194.25.176:8080/
h00p://www.qiuwo.net/
h00p://www11359ui.sakura.ne.jp/


Geological Source of ELF Malware wrt IP addresses as below:


Malware & Intrusion Detection In Linux:


Malware Detection:
It is recommended to use ClamAV Anti-Virus, Linux Malware Detection tools to detect the malware.

Intrusion Detection:
It is recommended to use AIDE. It is used to check user-land integrity checker.
Linux IMA (Integrity Measurement Architecture): it is used to measure Kernel-Level Integrity.

Mitigation Techniques
ü  USE SELINUX – Intruder’s activity is limited to an application of attack surface.
ü  Restrict outbound connections at firewall as well as on Proxy – Using C&C blacklist

Conclusions
ü  Linux based platform such as server, mobile and embedded has increased – ELF Malware has increased at the same time.
ü  Several malware intrudes vulnerable host using latest vulnerabilities.
ü  Administrators and developers should have control over all system components and response to new vulnerabilities
– Should be considered anti-malware, intrusion detection and mitigation

Note: Very soon I Will Post Malware analysis & forensics Article on ELF Family Iptables/XOR.DDoS/AES.DDoS & ChinaZ.

Reference:
CREDIT:  #MalwareMustDie
http://blog.malwaremustdie.org/2014/09/tango-down-report-of-op-china-elf-ddoser.html