Analysis by: Cris Nowell Pantanilla
ALIASES:

HEUR:Trojan-DDoS.Linux.Agent.a (Kaspersky), Linux.Xorddos (Symantec), ELF:Xorddos-K (Avast)

 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This Backdoor may be downloaded from remote sites by other malware.

  TECHNICAL DETAILS

File Size: Varies
File Type: ELF
Memory Resident: Yes
Initial Samples Received Date: 09 Jan 2015

Arrival Details

This Backdoor may be downloaded from remote site(s) by the following malware:

  • UNIX_XORDDOS.A

NOTES:

It installs a copy of itself in the following directory:

    /boot/{10 random characters}

It has a component configuration files that contain the following categories (list):

  • md5 - checksum of file
  • denyip - open communication with an IP
  • filename - list of filename
  • rmfile - files to remove

The malware terminates, denies, or removes processes that are listed on the said configuration file.

It is capable of the following commands:

  • Decrypt config file
  • Manipulate files and directories
  • Add/Delete Service
  • Manipulate processes and services
  • Execute files
  • Execute commands
  • Calculate Crc (Header/FindIp/File)
  • Upload/Download files
  • Update compoments
  • Get machine Info
  • Remote connections
  • Deny Remote Connections
  • DoS SYN,UDP and TCP flood
  • Kill processes listed in config

It also capable of the following rootkit functionalities:

  • Check IP
  • Check Port
  • Check Process
  • Firewall Accept IP
  • Firewall Drop IP
  • Hide/Unhide files
  • Hide/Unhide process
  • Hide/Unhide TCP4 port
  • Hide/Unhide TCP6 port
  • Hide/Unhide UDP4 port
  • Hide/Unhide UDP6 port
  • Patch/Unpatch VFS
  • Patch/Unpatch UDP
  • Patch/Unpatch TCP
  • Hook Function

It connects to the following C&C server:

  • {BLOCKED}3.{BLOCKED}5.9.228

  SOLUTION

Minimum Scan Engine: 9.700

Step 1

Remove the malware/grayware file dropped/downloaded by ELF_DDOS.A. (Note: Please skip this step if the threat(s) listed below have already been removed.)

     UNIX_XORDDOS.A

Step 2

Scan your computer with your Trend Micro product to delete files detected as ELF_DDOS.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.