XOR.DDoS Attack Analysis Report

Size: px

Start display at page:

Download "XOR.DDoS Attack Analysis Report"

Susanna Merritt
6 years ago
Views:

1 Security Level Public CDNetworks XOR.DDoS Attack Analysis Report 30 th June, 2016 Security Service Team Sungjun Lee

2 Table of Contents 1. Overview What is XOR.DDoS? XOR.DDoS Malware Infection Paths What is BruteForce Attack? Analysis of XOR.DDoS Analysis of XOR.DDoS Attacks Comparison of Attacks in 2015 vs Current Status of XOR.DDoS Attacks Detected in Data Volume Included in SYN Flooding Analysis of Origin of XOR.DDoS Attacks in Countermeasure Against XOR.DDoS Countermeasures against BruteForce Attack and Malware Countermeasures against XOR.DDoS Attacks Conclusion Public 2 CopyrightcCDNetworks. All Rights Reserved.

3 Security Trends Linux Malware XOR.DDoS 1. Overview In September 2015, a mass-scale XOR.DDoS attack over 150 Gbps occurred utilizing Linux Malware. XOR.DDoS is the name of the malware, not the attack name, used to affect the Linux system. It was detected in September 2014 and the analysis of the malware was published by various security service companies and blogs. This report will show the analysis of XOR.DDoS and how to counteract XOR.DDoS. 2. What is XOR.DDoS? The traditional attack utilized the existing vulnerabilities of Linux to make bad use of the system. However, XOR.DDoS makes Windows PCs into zombie PCs and starts attacks through the Command & Control (C&C) server. The following figure shows the current status of detections at a rate of 25 out of 55 by vaccine developers against the XOR.DDoS malware. <Figure 1 VirusTotal> See the following web sites for the details of the malware: - Malwr.com: - Virustotal: 254e5b/analysis/ Public 3 CopyrightcCDNetworks. All Rights Reserved.

2.1 XOR.DDoS Malware Infection Paths The existing malware had infected PCs through Webhard, Torrent, or by using the drive-bydownloads method. However, in the case of vulnerable Linux systems, XOR.

4 2.1 XOR.DDoS Malware Infection Paths The existing malware had infected PCs through Webhard, Torrent, or by using the drive-bydownloads method. However, in the case of vulnerable Linux systems, XOR.DDoS starts BruteForce attacks to get the account and the password; then, it installs viruses in the Linux system. <Figure 2 - XOR.DDoS Infection Scheme> What is BruteForce Attack? A brute force attack tries many random passwords until it gets the correct password. There are various types of brute force attacks including the dictionary attack which determines the decryption key or password by trying combinations of words, the random attack which enters all keys, and the rainbow attack which uses a pre-defined hash table. Public 4 CopyrightcCDNetworks. All Rights Reserved.

However, a lot of time is required to run all of the tables on general PCs or servers.

5 <Figure 3 - Rainbow Hash Table> Figure 3 shows the hash tables used for rainbow attacks. In the tables, a total 3.6 GB of hash functions are saved. The figure indicates that attacks with the tables can decrypt the encrypted password at a total success rate of %. However, a lot of time is required to run all of the tables on general PCs or servers. With this weak point, the industry is carrying out a study of decryption in relation to the use of GPUs or supercomputers. In addition, each hash functions has its explicitly defined guarantee period which means the hash function cannot be decrypted before this guarantee period expires giving consideration to the speed of the hardware development. In other words, with a high-performance supercomputer, cryptanalysis of all ciphers is possible. <Table 1 Domestic Cipher Usage Status and Cipher Implementation Guide Provided by KISA> Public 5 CopyrightcCDNetworks. All Rights Reserved.

3. Analysis of XOR.DDoS The core of the XOR.DDoS malware is the BuildServer. With this server, the hacker can distribute and install viruses in the hacked Linux systems in the most appropriate manner.

6 3. Analysis of XOR.DDoS The core of the XOR.DDoS malware is the BuildServer. With this server, the hacker can distribute and install viruses in the hacked Linux systems in the most appropriate manner. Figure 4 briefly shows the structure of the malware. <Figure 4 Obfuscation of the Malware> The above figure shows the beginning of the obfuscation in a malware. The obfuscated part can be decrypted by using the following syntax: <Figure 5 Syntax for Decryption of the Malware> Figure 6 shows the result of decryption. (Source: malwaremustdie.org) <Figure 6 Result of Decrypting the Malware> Public 6 CopyrightcCDNetworks. All Rights Reserved.

The attacker has set the malware to force the system to download the malware from each different server, according to the Linux version, and has also configured the malware to connect the system to

7 The attacker has set the malware to force the system to download the malware from each different server, according to the Linux version, and has also configured the malware to connect the system to the C&C server. Most of the related tasks are performed with a temporary file with the temporary folder being deleted when a task completes. <Figure 7 Temporary Folder> Most pages related to the IP utilized to distribute malicious codes are still being used; however, most pages related to the temporary file download URL are not used. <Figure 8- Still Vulnerable Web Sites> As shown below, the reference check for the IPs shows that the IPs have distributed malware so far. <Figure 9 Reference Check for IPs Which have Distributed Malware> Public 7 CopyrightcCDNetworks. All Rights Reserved.

8 In addition, the IP has two domains, lu911.com and chao00.com, and the origin server is in the U.S.A. <Figure 10 Identified Domains of the IP Which have Distributed Malware> Public 8 CopyrightcCDNetworks. All Rights Reserved.

4. Analysis of XOR.DDoS Attacks The XOR.DDoS attack is used to defeat the network by generating mass volumes of data including meaningless strings in the SYN.

In addition, the UDP has been used to block mass traffic at the upper level. However, the XOR.DDoS attack uses the TCP, which the small network line cannot block.

9 4. Analysis of XOR.DDoS Attacks The XOR.DDoS attack is used to defeat the network by generating mass volumes of data including meaningless strings in the SYN. This is a very serious threat to the network because the data volume exceeds the network processing capacity of most general companies. In addition, the UDP has been used to block mass traffic at the upper level. However, the XOR.DDoS attack uses the TCP, which the small network line cannot block. <Figure 11 - XOR.DDoS Attack Using the G Company s Cloud Service (SYN Flooding)> 4.1 Comparison of Attacks in 2015 vs <Table 2 Comparison of XOR.DDoS Attacks in 2015 vs. 2016> Public 9 CopyrightcCDNetworks. All Rights Reserved.

The longest attack detected in 2016 lasted for 8 hours and 21 minutes. <Table 3 Current Status of XOR.DDoS Attacks in 2016> 4.

10 4.2 Current Status of XOR.DDoS Attacks Detected in 2016 According to the analysis, the XOR.DDoS attacks lasted a long time, different from the popular HIT & RUN type attacks. The longest attack detected in 2016 lasted for 8 hours and 21 minutes. <Table 3 Current Status of XOR.DDoS Attacks in 2016> 4.3 Data Volume Included in SYN Flooding To maximize the attacking traffic size, bytes of meaningless data have been included in the SYN packet. <Figure 12 Test with wireshark > Public 10 CopyrightcCDNetworks. All Rights Reserved.

4.4 Analysis of Origin of XOR.DDoS Attacks in 2016 77.1 % of XOR.DDoS attacks have occurred in China and the U.S.A., mainly in the Linux servers that use Cloud services.

11 4.4 Analysis of Origin of XOR.DDoS Attacks in % of XOR.DDoS attacks have occurred in China and the U.S.A., mainly in the Linux servers that use Cloud services. Many large-scale cloud service providers including the companies M, I, A, and G were also the victims of XOR.DDoS attacks. In addition, as SSH services (22/TCP) are being used in most cases, it is assumed that cloud systems without proper management have been hacked. <Figure 13 Top 10 Countries Where Most XOR.DDoS Attacks Occurred> Public 11 CopyrightcCDNetworks. All Rights Reserved.

5. Countermeasure Against XOR.DDoS 5.1 Countermeasures against Brute Force Attack and Malware First, the hacker intrudes into the target server to install the XOR.DDoS malware in the server.

It is possible to counteract against a brute force attack by allowing only the office IPs or the IPs used to access the server, and blocking any other IPs.

<Figure 14 Blocking Access to the No. 22 Port except Office IPs and VPN IPs> The second countermeasure is to set the threshold value and set the lock time.

<Figure 15 Screen for Setting the Threshold Value> For example, when the lock threshold time is set to 5 and the lock period is set to 10 minutes, the hacker must wait for 10 minutes after

12 5. Countermeasure Against XOR.DDoS 5.1 Countermeasures against Brute Force Attack and Malware First, the hacker intrudes into the target server to install the XOR.DDoS malware in the server. For this intrusion to take place, the hacker starts with a brute force attack. Access control (ACL) can be an effective countermeasure against this. It is possible to counteract against a brute force attack by allowing only the office IPs or the IPs used to access the server, and blocking any other IPs. However, if the hacker hacks the PCs in the office, there may be a certain risk. To remove this risk, a safer method is to add a 2-factor authentication system. <Figure 14 Blocking Access to the No. 22 Port except Office IPs and VPN IPs> The second countermeasure is to set the threshold value and set the lock time. In general, most PCs used in offices have a preset threshold value of the password trials and the lock time. <Figure 15 Screen for Setting the Threshold Value> For example, when the lock threshold time is set to 5 and the lock period is set to 10 minutes, the hacker must wait for 10 minutes after five trial failures so it is very difficult for attacks to succeed, so the success rate is also very low. The third countermeasure is to change the default port. For the Linux server, change the #Port 22 to any other port in the /etc/ssh/sshd_config file to counteract against basic scanning attacks. [Before] [After] <Figure 16 Before and After Changing the Default Port> Public 12 CopyrightcCDNetworks. All Rights Reserved.

The fourth countermeasure is to set the password complexity. For example, a password with a simple word or sentence is very vulnerable against the dictionary attack.

13 The fourth countermeasure is to set the password complexity. For example, a password with a simple word or sentence is very vulnerable against the dictionary attack. In this case, the predefined words are entered as they are, which is very fast and simple. As such, passwords can be easily exposed. <Table 4 - Top 20 Imperva Password Popularities> For safer passwords, the password must contain a minimum of 12 characters including letters, numbers, and special symbols. The fifth countermeasure is to use vaccine software. With various types of malware and diversified distribution methods, vaccine software plays a critical role in server security. With the diverse features of vaccines, it is possible to protect the host from various external threats including abnormal network blocking as well as malware. 5.2 Countermeasures against XOR.DDoS Attacks The XOR.DDoS attack is carried out as a form of SYN flooding + including data. SYN is just a process to perform a 3-way handshake and does not require the inclusion of data in the SYN packets. If SYN packets with data are detected, the XOR.DDoS attack can be defeated by blocking all of the SYN packets. In addition, as shown below, it is good to use a SYN cookie against SYN flooding + SYN spoofing attacks, both of which have occurred in 2015, because a SYN cookie is effective and useful against spoofing. Public 13 CopyrightcCDNetworks. All Rights Reserved.

The SYN cookie blocks SYN spoofing effectively by including the cookie value in the sequence number and comparing the cookie value with SEQ - 1 = cookie value at the

Therefore, the SYN cookie is a very effective way to block spoofing attacks.

14 The SYN cookie blocks SYN spoofing effectively by including the cookie value in the sequence number and comparing the cookie value with SEQ - 1 = cookie value at the end. The SYN cookie does not require a certain time to wait for the response; if the two values are not identical, the packet is just discarded. Therefore, the SYN cookie is a very effective way to block spoofing attacks. <Figure 17 Countermeasure against SYN Spoofing Attack by Using Setcookie> To use the feature, set as follows: Vi /etc/sysctl.conf Net.ipv4.tcp_syncookies=1 Net.ipv4.tcp_max_syn_backlog=9012 <Figure 18 SYN Cookie Settings> Public 14 CopyrightcCDNetworks. All Rights Reserved.

If the session request is normal, the same IP will send the SYN request again.

15 Alternatively, First SYN DROP can be a second countermeasure. This technique works by saving the first SYN packet information in the memory and dropping the packet. If the session request is normal, the same IP will send the SYN request again. If the request is made for attack, another SYN request from another IP will be received. <Figure 18 Countermeasure against SYN Spoofing by Using First SYN Drop> Public 15 CopyrightcCDNetworks. All Rights Reserved.

16 6. Conclusion A large-scale network line is necessary to counteract against massive-scale TCP attacks such as XOR.DDoS. However, the cost is high and inefficient for companies that do not serve tens of gigabytes for Internet services. To solve these problems, the CDN industry is providing services to counteract against DDoS attacks. As the services are cloud-based, the available traffic processing capacity is very large and the cost is significantly lower than the cost taken to implement the services in each company. With these services, most companies will benefit substantially from the affordable cost and time without any accompanying issues. References Avast Blog: MalwareMustDie: Virustotal: Malwr: Public 16 CopyrightcCDNetworks. All Rights Reserved.

17 About CDNetworks CDNetworks is one of the most powerful global content delivery network (CDN) service providers. Based on infrastructure and technologies implemented in over 100 cities and over 200 network bases, it provides advanced technology in the media streaming, large-scale file transfer, and web/application acceleration service fields. In addition, based on its rich infrastructure and operation experiences, it has also provided DDoS defense services. Recently, CDNetworks has been breaking into the securityconsolidated cloud computing and web application firewall(waf) markets and providing competitive capabilities in fast and stable content delivery. More than 1,500 companies in various industries, including enterprise, public services, portals, online education, media, entertainment, game, software, and retail, are accelerating with more than 40,000 global websites and applications over CDNetworks service. Website: Copyrights CopyrightcCDNetworks. All Rights Reserved. CDNetworks shall solely have the copyrights of this document and it is strictly prohibited to distribute or reproduce this document without the prior approval of CDNetworks. Information included in this document may be altered or modified without any prior notification. Korea 2F, 37, Teheran-ro 8-gil, Gangnam-gu, Seoul Japan Nittochi Nishi-Shinjuku Building 8th Floor, , Nishishinjuku Shinjuku-ku, Tokyo China Room No.A-1502, Keijidalou, 900 Yi Shan Road, Shanghai Singapore 51 Cuppage Road, #06-07, Singapore Singapore US 1919 S. Bascom Avenue, Ste. 600 Campbell, CA EMEA 85 Gresham Street London, EC2V 7NQ CDNetworks. All rights reserved. Public 17 CopyrightcCDNetworks. All Rights Reserved.

Q Web Attack Analysis Report

Q Web Attack Analysis Report Security Level Public CDNetworks Q4 2016 Web Attack Analysis Report 2017. 2. Security Service Team Table of Contents Introduction... 3 Web Attack Analysis... 3 Part I. Web Hacking Statistics... 3 Part