![]() "Since the kernel's internals change from version to version, a LKM must be binary compatible with the kernel." "Unlike Windows, which has a stable kernel API allowing for the creation of code that is portable between kernel versions, the Linux kernel lacks such an API," the FireEye researchers said. This sophisticated on-demand build infrastructure automates the creation of LKM rootkits for different kernels and architectures as each LKM needs to be compiled for the particular kernel it's intended to run on. This information is sent back to attacker-controlled servers and is used to automatically build rootkits that function as LKMs and are customized for each infected system. The initial scripts harvest Linux kernel headers from infected systems and also extract the "vermagic" string from the existing loadable kernel modules (LKMs). Both the last and lastlog commands, which display listings of recent logins, are also blind." ![]() "Since a remote command doesn't create a terminal session, TTY logging systems also do not capture these events. The use of SSH remote commands is significant because OpenSSH does not log such commands, "even when logging is configured to the most verbose setting," the FireEye researchers said. ![]() These commands download and execute various scripts as part of a sophisticated infection chain that relies on an on-demand malware building system. ![]() When the attackers manage to guess the root password they send a complex SSH remote command - sometimes over 6,000 characters long - that consists of multiple shell commands separated by semicolons. FireEye observed well over 20,000 SSH login attempts per targeted server within a 24-hour period and more than 1 million per server between mid-November and end of January. The attacks attempt to guess the password for the root account by using different dictionary-based techniques and password lists from past data breaches. MORE ON CSO: How to spot a phishing email ![]() XOR.DDoS is installed on targeted systems via SSH (Secure Shell) brute-force attacks launched primarily from Internet Protocol (IP) addresses registered to a Hong Kong-based company called Hee Thai Limited. 20, according to a new report Thursday from security firm FireEye, which analyzed the threat in detail. However, it has since evolved and new versions were seen in the wild as recently as Jan. The malware, known as XOR.DDoS, was first spotted in September by security research outfit Malware Must Die. A malware program designed for Linux systems, including embedded devices with ARM architecture, uses a sophisticated kernel rootkit that's custom built for each infection. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2022
Categories |