A brute force campaign looking to set up a distributed denial of service (DDoS) botnet using a rare Linux rootkit malware has been launched, emanating from the servers of a Hong Kong-based company called Hee Thai Limited. The malware, known as XOR.DDoS, was first spotted in September by security research firm Malware Must Die. But security firm FireEye says that new variants have been making their way into the wild, as recently as Jan.20. XOR.DDoS is installed on targeted systems via SSH (Secure Shell) brute-force attacks that target both servers and network devices. And these are being carried out using complex attack scripts to serve the malware through a sophisticated distribution scheme that allows the attackers to compile and deliver tailored rootkits on-demand, to infect x86 and mobile ARM systems alike. Once infected, the hosts are enlisted to launch DDoS attacks. “While typical DDoS bots are straightforward in operation and often programmed in a high-level script such as PHP or Perl, the XOR.DDoS family is programming in C/C++ and incorporates multiple persistence mechanisms including a rare Linux rootkit,” FireEye researchers noted in an analysis. What’s notable about the Hee Thai attack is the sheer scale of the operation. Within 24 hours of first sighting back in November, FireEye had observed well over 20,000 SSH login attempts, per server. By the end of January, each server had seen nearly 1 million login attempts. During this time period, traffic from 103.41.124.0/24 accounted for 63% of all observed port 22 traffic. “Someone with a lot of bandwidth and resources really wanted to get into our servers,” FireEye researcher noted. They also said that the campaign has been evolving. At the beginning, each IP address would attempt more than 20,000 passwords before moving on. It then dropped to attempting a few thousand passwords before cycling to the next, and repeat attacks also began to occur. Now, a new stage of the Hee Thai campaign is more chaotic than the previous two. “The attacks now occur en masse and at random, frequently with multiple IPs simultaneously targeting the same server,” FireEye explained. The Hee Thai campaign also features an on-demand malware build system. Using a sophisticated set of build systems, the malware harvests kernel headers and version strings from victims to deliver customized malware that may be compiled on-demand to deliver XOR.DDoS to the target machine. This strategy makes hash signature-based detection systems ineffective for detecting XOR.DDoS. “Brute force attacks are one of the oldest types of attacks,” FireEye researchers said. “Due to its ubiquity, there are numerous solutions available for defending against them. However a great many systems are vulnerable. Even in enterprise settings, network devices and servers in forgotten branch offices could be exposed to this threat.” Source: http://www.infosecurity-magazine.com/news/massive-ddos-bruteforce-targets/
Read the article:
Massive DDoS Brute-Force Campaign Targets Linux Rootkits
An upgrade to China’s Great Firewall is having knock-on effects all over the internet, with seemingly random sites experiencing massive traffic spikes. One site owner in North Carolina, Craig Hockenberry, has written up how, after he looked into why his mail server was down, he found 52Mbps of search traffic piling into his system: 13,000 requests per second, or roughly a third of Google’s search traffic. The post goes into some detail over howHockenberry managed to deal with the firehose-blast of requests, all of it coming from China and much of it trying to find Bittorrents or reach Facebook. Short version: he blocked all of China’s IP blocks. Hockenberry is not the only one dealing with a sudden flood of requests, though. There are numerous reports of sysadmins finding that their IP address has appeared in front of the headlights of the Chinese government’s censorship juggernaut, causing them to fall over and forcing them to introduce blocking measures to get back online. After a number of different theories about what was happening, including focussed DDoS attacks and “foreign hackers” – that suggestion courtesy of the Chinese government itself – the overall conclusion of the technical community is that bugs have been introduced into China’s firewall. Particularly, something seems to have gone wrong in how it uses DNS cache poisoning to redirect users away from sites the government doesn’t want them to see. Poison China uses a weak spot of the DNS system to intercept requests coming into and going out of the country. If it spots something it doesn’t like – such as a request for “facebook.com” or “twitter.com” – it redirects that request to a different IP address. For a long while, China simply sent these requests into the ether – i.e. to IP addresses that don’t exist, which has the effect of causing the requests to time out. However, possibly in order to analyze the traffic more, the country has started sending requests to IP addresses used by real servers. Unfortunately, it seems that there have been some configuration mishaps and the wrong IP addresses have been entered. When one wrong number means that a server on the other side of the world suddenly gets hits with the full stream of millions of Chinese users requesting information, well then … that server falls over. The situation has had a broader impact within China. Tens of millions of users weren’t able to access the Web while the government scrambled to fix the problem. According to one Chinese anti-virus vendor, Qihoo 360, two-thirds of Chinese websites were caught up in the mess. China’s DNS infrastructure experts started pointing the finger at unknown assailants outside its system. “The industry needs to give more attention to prevent stronger DNS-related attacks,” said Li Xiaodong, executive director of China’s Internet Network Information Center (CNNIC). Your own medicine The reality, however, is that China has seen the downside to its efforts to reconfigure the basic underpinnings of the domain name system to meet political ends. The network is designed to be widely distributed and route around anything that prevents effective communication. By setting itself up as a bottleneck – and an increasingly huge bottleneck as more and more Chinese users get online – the Chinese government is making itself a single point of failure. The slightest error in its configurations will blast traffic in uncertain directions as well as cut off its own users from the internet. For years, experts have been warning about the “balkanization” of the internet, where governments impose greater and greater constraints within their borders and end up effectively breaking up the global internet. What has not been covered in much detail is the downside to the countries themselves if they try to control their users’ requests, yet make mistakes. Source: http://www.theregister.co.uk/2015/01/26/great_firewall_of_china_ddos_bug/