Shulou(Shulou.com)06/01 Report--

This article shows you the principle of botnet XorDDoS analysis and removal is how, the content is concise and easy to understand, absolutely can make your eyes bright, through the detailed introduction of this article hope you can gain something.

Introduction of family background and current situation

The XorDDoS botnet family, which has survived since 2014, is named XorDDoS because of its heavy use of Xor in its decryption method. The botnet family is still highly active, mainly because attackers have been updating its C2 continuously. The following figure shows the trend analysis of XorDDoS network requests in Cloud brain, which is stable from the point of view of access.

The following picture shows the infection distribution of the botnet family in China, which can be seen mainly in Guangdong and Jiangsu and Zhejiang provinces.

Analysis of protection principle

I am convinced that the security team analyzed the protection principle of the XorDDos family in detail and cleared it. The execution process of the main process is as follows:

The bash file under cron.hourly, which contains its obvious feature names, has appeared in the following (and possibly more)

/ etc/cron.hourly/udev.sh = > cp / lib/libgcc4.so / lib/libgcc4.4.so

/ etc/cron.hourly/gcc.sh = > cp / lib/libudev.so / lib/libudev.so.6

/ etc/cron.hourly/gcc4.sh = > cp / lib/libudev4.so / lib/libudev4.so.6

/ etc/cron.hourly/cron.sh = > cp / lib/udev/dev / lib/udev/debug (rootkit version, / proc/rs_dev)

Decrypt the daemonname substring. Other articles in the decryption section have been analyzed in detail. The decryption string is as follows:

Then daemon (1J0) is executed to create the daemon, described as follows:

Next, it will check the number of parameters of the process, including the processing of 2 and 3 parameters.

If there is only one parameter, the path of the currently running file will be compared with the / usr/bin/, / bin, / tmp directory. If it is not in any of these directories, the / usr/bin, / bin, / tmp, / lib, / var/run directory will be created, and the file will be copied to / lib/libudev4.so (this is just one of the variants). Then copy yourself to any directory under / usr/bin, / bin, / tmp (the name is 10 lowercase random names, and a successful one will not be copied to other directories), and transform md5 to execute the file.

The LinuxExec here is actually dobulefork to create the child process, and then call execvp again to create a new process (2 parameters).

The self-files of the currently running process are then deleted.

When a process is running in any directory of / usr/bin, / bin or / tmp, it will first obtain the shared memory, and successfully the current process pid will write to the shared memory.

Then go to add services, here are the various startup items and scheduled tasks.

Generate a random ID, randomly pick one from the previous daemonname, and then put the daemonname into the process environment variable argv, which will change the name of the process in the system, achieving the role of confusion.

Next, create a daemon_process thread, which will detect the / var/run/xxx.pid file; copy the parent file in the / lib directory if it does not detect the parent file; and check whether the file of the current process still exists, or kill the current process if it does not exist (here is a bug point, which plays a great role in cleaning up later).

Details of the daemon_process process are as follows:

Continue to delete its own files and recreate files and processes, which is why the XorDDos process is pulled back when it terminates.

Rootkit version

The rootkit module of XorDDoS comes from the https://github.com/mncoppola/suterusu project, but in the actual environment, the installation function of the module is not executed, so it cannot be installed successfully.

Cleaning principle

From the analysis, we know that there will be a daemon_process thread to detect the state of the file, and the process will be killed if the file does not exist, so after clearing the malicious startup items, timing tasks, etc., use chattr to lock several directories involved in xorddos, and then the virus process will automatically terminate, and then the locked folder will be restored.

Protection suggestion

Virus detection and killing

Convinced to provide free inspection and killing tools for the majority of users, you can download the following tools for detection and killing.

Virus defense

1. Use convincing security products, access security cloud brain, and use cloud search service to instantly detect and defend against new threats.

2. We are convinced to launch security operation services to help users quickly expand their security capabilities through the service model of "man-machine intelligence". In view of this kind of threat security operation service, we provide equipment security equipment policy check, security threat check, related loophole check and other services to ensure that risks are detected and policies are updated immediately to prevent such threats.

Finally, it is suggested that enterprises should carry out a security inspection and antivirus scan on the whole network to strengthen the protection work. It is recommended to use Deep conviction Security Awareness + Firewall + EDR to perceive, kill and protect the private network.

The above is the principle analysis and removal of botnet XorDDoS. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.