At the end of September 2014, MalwareMustDie discovered XorDDoS, which builds a botnet that can be used for launching DDoS attacks. The main characteristic of the XorDDoS family is that it compromises the target host by brute-force guessing against weak SSH passwords and executes corresponding shell scripts to install the XorDDoS malware family and malicious RootKit for host infection.
Up to now, the widespread XorDDoS variant no longer provides the RootKit capability coming with its original version as it has had this malware removed.
pon startup, XorDDoS runs by creating subprocesses and corresponding daemons. During the initial running, XorDDoS copies the original virus file to the directory with the highest privileges before deleting it. At the same time, XorDDoS generates a great number of malicious programs with random names in the directory by reading its own file content. This makes the system administrator unable to locate all files, thus improving the survival probability. In addition, XorDDoS has very good anti-defense capabilities by hiding the corresponding port number of each IP address by means of the RootKit technique.
At the initial phase of running, XorDDoS first sets the value of the environment variable, PATH, as follows:
The purpose is to ensure that its program can properly implement subsequent functions.
The sample decrypts data using the built-in XOR-key: BB2FA36AAA9541F0.
In this way, XorDDoS obtains the C&C and port information ww.s***32c.com:3309. Note that the parsed address here may not be the actual C&C address used for command interaction.
The sample modifies the file content, changes the file name, and generates multiple virus files with different MD5 values. Then it copies these virus files to separate directories, executes them repeatedly, and creates multiple demons at the same time.
It creates create scripts for the auto start item, so that the virus can automatically run upon restart.
After initializing the automatic startup item, the virus, through decryption, recovers the actual C&C address used for command controls and its backup address from the virus file.
The virus creates three threads for subsequent attack steps: threads 1 and 3 of which kill all processes generated by XorDDoS; thread 2 (called the “main thread” hereinafter) receives and executes remote control commands.
The virus in the main thread will connect to the actual C&C server and sends it the information about the CPU, memory, disk files, and network quality collected from infected machines. It encrypts the data with the XOR-key before sending them. To ensure data integrity, it fills the CRC32 value of the data in the first four bytes in the packets to be sent.
The following presents technical information about the virus’s interaction with the server.
The virus first obtains a MAGIC string, bpujggltsmihjflqnyvcrzzydtsurpcs, and calculates the CRC32 value of the array [0,0×110,0,0,0,0,0] before obtaining computer information and sendingcrafted packets.
The first packet contains the CRC32 value of 0x1C bytes.
The format of the second packet is as follows:
|0x8||0xC||Whether LVM_rootkit is installed|
|0xC||0x41||Release information (system)|
The first received packet is a packet that contains the CRC32 value of 0x1C bytes.
The third sent packet is a UDP packet filled with invalid characters.
The second received packet is 0x1C byte.
The length of the third received packet is specified by len_recv received last time.
The following table lists received commands:
|Command||Received Content Next Time||Meaning|
|0x2||None||Stopping DDoS and Keepalive packets|
|0x3||Attack target and type||DDoS|
|0x6||HTTP link||File download|
|0x7||HTTP link||File download and execution (update)|
|0x8||HTTP link||Uploading the MD5 value of the file to be executed and POST requests|
|0x9||HTTP link||Downloading the configuration file|
Command 0x9 exists in thread 3, whose code is exactly that in the main thread.
The third received data is a packet that contains an attack target. Every 0x114 bytes compose a unit. The format is as follows:
|0x0||0x4(unsigned int)||IP address of the attack target (target_ip)|
|0x4||0x2(unsigned short)||Target port (target_port)|
|0x108||0x4(int)||Attack type (sub_code)|
|0x10C||0x4(int)||Whether the local IP address is used (fake_ip)
1 indicates that a random IP address is used.
The following table lists the attack types.
The packet contains information about the attack target. This packet have the same content from the 0x6 byte as the above mentioned packet with 0x114 bytes as a unit.
|0x6||Not fixed and cannot exceed 0x100 characters||Domain address|
Most versions of the XorDDoS family spread in the Chinese mainland have had RootKit removed, whose hazards are weaker than those of earlier versions. However, attackers provide persistent residing means and some tricks, making it difficult for the system administrator to kill viruses. This, to some extent, increases the survival rate of viruses.
In addition, during the interaction with the C2 server, XorDDoS sends encrypted data, which is hard to detect and discover. This is to make trouble for analysts.
Note that XorDDoS can hide traffic only by changing the XOR-key. Therefore, to discover this virus, we should detect characteristics of the network traffic, instead of specific traffic contents.