Introduction to Linux ELF DDoS'er Malware & Family
ELF is the Linux Malware which is specifically developed to perform
DDOS attacks against the Target.
We will learn more about the ELF malware and its Family, let`s start
with some basic Introductions.
About Linux Malware:
Linux malware includes
viruses, Trojans, worms and other types of malware that affect the Linux operating
system. Linux, UNIX and other Unix-like computer operating
systems are generally regarded as very well-protected against, but not immune
to, computer viruses.
Here has not yet been a single
widespread Linux virus/malware infection of the type that is common on Microsoft
Windows; this is attributable generally to the malware's lack of root access and
fast updates to most Linux vulnerabilities.
History about Linux Malware:
In Old Days it was common that
malware targeting windows or even OS X,
security threat to linux have become both more numerous and more severe in
recent years.
There are couple of reason for
the same :
The mobile explosion has meant that Android (which is Linux-based) is among the most attractive targets for malicious hackers.
The mobile explosion has meant that Android (which is Linux-based) is among the most attractive targets for malicious hackers.
· The use of Linux as a server OS for and in the
data center has also grown
But Linux malware has been around in some form
since well before the turn of the century.
Intro to ELF Malware:
ELF malware developed to infect
server, mobile as well as embedded.
Malware of target to Linux system becomes too large to
ignore
·
In virustotal statistics approx. 127,385 ELF
binaries has submitted during the week of 2015/01/19
·
Approx. 2,722,106 Win32 binaries has submitted
in the same week
·
Note: Not
all ELF binaries are malware
From malwaremustdie
blog report, the threat is verdicted to be originated from China:
· The source binary data contains China specific
details.
·
Attacker IP address during attempt to infect are
mostly (98%) originated from China network.
· Panels served by ELF malware be downloaded
during infection, are located in China network (98%)
· CNC server used for downloading config or used
for remote attack (92%)
Trends in
Linux Malware :
ELF malware
are not sophisticated yet unlike windows malware
·
Today, antivirus vendor endeavour to raise
detection rate of ELF malware
·
“Google's Virustotal puts Linux malware under
the spotlight”
http://www.zdnet.com/article/googles-virustotal-puts-linux-malwareunder-the-spotlight/
• On the other hand, Several ELF malware has execution portability – It is
unique perspective in Linux system
The
distributed malware are separated into 3 categories:
1. "Elknot" variants,
technical information
2. "AES.DDoS", technical
information
3. ".IptabLes|x", technical
information
4. "BillGates", technical
information
5. (NEW) "GoARM.Bot",
technical information
6. "XOR.DDoS", technical
information
1. IptabLes/IptabLex
This infection is observed around 2013~ and a
minute report submitted by AKAMAI in 2014.
· The malware infect using vulnerabilities of open
source software such as Apache Struts, Tomcat and Elasticsearch.
· Exploiting newest vulnerabilities.
Some malware store itself in /boot
with the name “.Iptables” or “.Iptablex”
2. XOR.DDoS
This infection is observed around 2014~.
The malware contains LKM(Linux
Kernel Module) rootkits
–Based on “Suterusu” open source LKM rootkit
The special future of XOR.DDoS ELF
malware is, it hiding processes, files and other malware activity from security services and
administrators.
3. AES.DDoS
This infection is observed around 2014~.
An ELF malware is available for several
architectures
· EM_386, EM_x86_64, EM_MIPS, EM_ARM, PE x86
· A MIPS architecture often used to router •
Targets of this malware are a wide variety of systems such as desktop, mobile,
routers and IoT devices.
4. ChinaZ
This infection is observed around 2015~.
This malware is spread all over the world by triggering
Shell Shock vulnerability.
The malware
analysed was compiled with aiming NIX base routers/servers, with these OS &
CPU architectures:
1. Intel x32 (Linux / FreeBSD)
2. Intel x64 (Linux / FreeBSD)
3. AMD x64 (Linux)
4. ARM (Linux)
5. MIPS (Linux)
6. (NEW) PPC (Linux)
Note:
(NEW) The
Windows version of the same DDoSer was started to be detected in Mid October
2014.
Samples: [http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3468#p24160]
[http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3468#p24152]
PoC,
Evidence contribution From MalwareMustDie
1.
https://www.youtube.com/watch?v=JjtOUto9Sr8
2.
https://www.youtube.com/watch?v=z6MdtFck6x4
3.
https://www.youtube.com/watch?v=sdKCjbrs5uQ
4.
https://www.youtube.com/watch?v=YtxaT1rahY8
5.
https://www.youtube.com/watch?v=OcOiuxAtbOk
Illustration
of "Volume & Combination" in its distribution
In a panel served with ELF malware, China DDoS'er crooks is
distributing quite big amount of downloads (even we are assuming 70% downloads
are for infection), as per seen in one panel snapshot picture below:
In a panel
we often spotted the China crook is mixing the type of malware, as per seen in
the PoC below:
Mixing
samples PoC:↓
Recent ELF
samples we collected & analyzed for the past one month:
(There are a
lot more than these & are still coming)
China ELF
DDoS'er download panels list:
h00p://192.169.219.22:280/
h00p://222.186.42.31:7019/
h00p://183.136.214.14:12345/
h00p://183.60.202.58:5147/
h00p://124.173.118.167:41235/
h00p://222.186.58.146:81/
h00p://183.60.202.58:5147/
h00p://222.186.58.146:81/
h00p://118.123.119.14:3543/
h00p://116.255.162.80:3322/
h00p://104.194.25.172/
h00p://218.244.148.150:24/
h00p://104.194.25.176:8080/
h00p://www.qiuwo.net/
h00p://www11359ui.sakura.ne.jp/
Geological
Source of ELF Malware wrt IP addresses as below:
Malware
& Intrusion Detection In Linux:
Malware Detection:
It is
recommended to use ClamAV Anti-Virus, Linux Malware Detection tools to detect
the malware.
Intrusion Detection:
It is
recommended to use AIDE. It is used to check user-land integrity checker.
Linux IMA
(Integrity Measurement Architecture): it is used to measure Kernel-Level
Integrity.
Mitigation
Techniques
ü
USE SELINUX – Intruder’s activity is limited to
an application of attack surface.
ü
Restrict outbound connections at firewall as
well as on Proxy – Using C&C blacklist
Conclusions
ü
Linux based platform such as server, mobile and
embedded has increased – ELF Malware has increased at the same time.
ü
Several malware intrudes vulnerable host using
latest vulnerabilities.
ü
Administrators and developers should have
control over all system components and response to new vulnerabilities
– Should be considered anti-malware, intrusion detection and mitigation
Note:
Very soon I Will Post Malware analysis & forensics Article on ELF Family Iptables/XOR.DDoS/AES.DDoS &
ChinaZ.
Reference:
CREDIT:
#MalwareMustDie
http://blog.malwaremustdie.org/2014/09/tango-down-report-of-op-china-elf-ddoser.html
