At the end of September 2014, a new threat for the Linux operating system dubbed XOR.DDoS forming a botnet for distributed denial-of-service attacks was reported by the MalwareMustDie! group. The post mentioned the initial intrusion of SSH connection, static properties of related Linux executable and encryption methods used. Later, we realized that the installation process is customized to a victim’s Linux environment for the sake of running an additional rootkit component. In this blog post, we will describe the installation steps, the rootkit itself, and the communication protocol for getting attack commands.
Installation Script & Infection Vector
The infection starts by an attempt to brute force SSH login credentials of the root user. If successful, attackers gain access to the compromised machine, then install the Trojan usually via a shell script. The script contains procedures like main, check, compiler, uncompress, setup, generate, upload, checkbuild, etc. and variables like __host_32__, __host_64__, __kernel__, __remote__, etc. The main procedure decrypts and selects the C&C server based on the architecture of the system.
In the requests below, iid parameter is the MD5 hash of the name of the kernel version. The script first lists all the modules running on the current system by the command lsmod. Then it takes the last one and extracts its name and the parameter vermagic. In one of our cases, the testing environment runs under “3.8.0-19-generic\ SMP\ mod_unload\ modversions\ 686\ “, which has the MD5 hash equal to CE74BF62ACFE944B2167248DD0674977. Read more…
At the beginning of 2014, gaming platforms such as League of Legends and other video-game servers were brought down by distributed denial-of-service (DDoS) attacks. These attacks cost professional gamers thousands in advertising revenue. FNATIC Senior Features writer, Davor ‘Dendra’ Miljkovic, spoke to Jiri Sejtko, the Director of the AVAST Virus Lab, about how to handle DDoS attacks. Here is a reprint of the original article that appeared on the FNATIC website.
The threat is real
The internet realm is becoming increasingly troublesome, as the encyclopedia of viruses, worms, trojans and other malicious creations only keeps growing. However, when it comes to gamers it seems that one particular annoyance tops that list nowadays – Distributed Denial-of-Service (DDoS) attacks. Whether it’s a TS server lagging for no apparent reason or an entire gaming server overloading, chances are you’ve experienced a DDoS attack before.
Dating back to 2000, DDoS attacks have been used to make a machine or network resource unavailable to its intended users and there are several methods to accomplish this. One of the more popular methods is to flood a targeted system with incoming traffic to the point it cannot respond to legitimate traffic or only respond very slowly. This very method is the premium choice among disgruntled gamers who aim to sabotage a server or one particular system of another gamer they dislike for whatever reason.
So what can you do if you find yourself targeted by one such disgruntled gamer?
What can be done?
To see what can be done to help you deal with a DDoS attack or a potential one, we spoke to Jiri Sejtko, the Director of Viruslab Operations at Avast Software:
Q: What kind of security measures are available to protect yourself from a DDoS attack?
A: Basically, there is no protection if an attack is well done, however you can always do some steps to defend your system once the attack has happened.When you know how the attack is done, it’s possible to tweak (setup) your system and to try to find out where the attack came from.
Q: Can you elaborate on these steps?
A: One of the steps would be to configure your router to filter IPs or even protocols used in the attack – this step will help if the attacker didn’t use the whole bandwith of the given Internet connection. Best ask your Internet Service Provider to do this for you.
Q: So which ISPs would you recommend?
Read this answer and the entire article on the FNATIC website.
avast! Internet Security is the official antivirus software of the FNATIC team. avast! offers a massive 40% discount to FNATIC fans! Purchase your discounted avast! Internet Security from the dedicated FNATIC page at avast.com.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.
See update below
For the past three Tuesday mornings, DDoS (distributed denial of service) attacks have caused online outages at major U.S. banks, including Bank of America, Chase, Wells Fargo, U.S. Bank and PNC. The attacks end by Friday afternoons. A DDoS attack causes the site or service to be temporarily unavailable by flooding the targeted website with traffic until the site’s servers are overloaded. Yesterday, customers started reporting on SiteDown that they were having trouble accessing the Wells Fargo and Bank of America websites.
The banks that experienced outages have confirmed that no sensitive financial information or personally identifiable information about customers was exposed, supposedly because the attacks were motivated by politics, not fraud.
A hacktivist group called “Cyber fighters of Izz ad-din Al qassam” are taking credit for the attacks, but experts say that this group has not historically been affiliated with hacktivism. The variety and scale of the attacks have experts doubting that the group was involved, citing the massive bandwidth used in the attacks.
Collaboration among banking institutions, online-banking platform providers, other vendors, industry associations and the government, has been stronger than ever because of these attacks, reports BankInfoSecurity. “There definitely seems to be more of a community effort for the first time here to address this issue. And now we are seeing a real-life situation where we’ve had to pull together and be prepared,” says a security and fraud executive at a $4 billion banking institution in the U.S. who wishes to remain unidentified.
Early warnings about attacks aimed at these institutions were issued by the FBI and the FS-ISAC benefiting the entire industry. However, there is criticism that banks have not done enough to communicate with consumers about what is causing the outages. They might be legally barred from releasing details, however, since an ongoing investigation is in progress. The best you can expect is a “Sorry for the inconvenience.”
At this point it doesn’t appear that the DDoS attacks put your money in danger besides being unable to access your account for periods of time. Once you can access your bank’s website, check the security of your account. For those of you wanting to take precautions when conducting online financial transactions, Avast offers extra protection to keep your transactions private. Avast! SafeZone (available in avast! Pro Antivirus and avast! Internet Security) creates full desktop isolation so that other applications don’t see what’s happening – perfect for secure banking or online shopping– and leaves no traces once it’s closed. Check out the Deal of the Week for savings on our premium protection.
Update, October 12: Regions Bank was attacked today and Capital One and SunTrust were hit earlier this week. Izz ad-din Al qassam, the group taking credit for the attacks, warned about them in advance, saying it expects to spend the weekend developing plans for more attacks next week. The group claim the reason behind all this mischief is because of a YouTube movie trailer believed by the group to be anti-Islam. If the group repeats their established pattern, banks could expect more attacks next Tuesday, Oct. 16. No fraud activity has been reported by the banks.