To Customer Support To Customer Support

Anatomy of a Brute Force Campaign: The Story of Hee Thai Limited

  • 5 February 2015
  • 1 reply
  • 289 views
Jasper_The_Rasper
Rank
Userlevel 7
Badge +54
February 05, 2015 | By Michael Lin, Derek Gooley
 

Summary

This is the tale of an ongoing SSH brute forcing campaign, targeting servers and network devices, that distributes a new family of Linux rootkit malware named “XOR.DDoS.” While typical DDoS bots are straightforward in operation and often programmed in a high-level script such as PHP or Perl, the XOR.DDoS family is programming in C/C++ and incorporates multiple persistence mechanisms including a rare Linux rootkit.
The campaign also utilizes complex attack scripts to serve the malware through a sophisticated distribution scheme that allows the attackers to compile and deliver tailored rootkits on-demand to infect x86 and ARM systems alike.
In this post, we will follow the campaign from first sighting to the present day. We reveal the infection strategy, describe the build systems and share indicators of compromise.
 
Full Article

1 reply

R
Rank
Userlevel 7
By Eduard Kovacs on February 09, 2015
 
Researchers at FireEye have been monitoring a campaign in which malicious actors use Secure Shell (SSH) brute force attacks to install a piece of DDoS malware on Linux and other types of systems.
The malware, dubbed XOR.DDoS, was first spotted back in September by the Malware Must Die research group, which linked it to a Chinese actor. XOR.DDoS is different from other DDoS bots because it’s written in C/C++ and it uses a rootkit component for persistence.
FireEye started analyzing XOR DDoS in mid-November when it spotted SSH brute force attacks against its global threat research network coming from IP addresses belonging to Hee Thai Limited, an organization apparently based in Hong Kong. The security firm saw more than 20,000 SSH login attempts per server in the first 24 hours.
 
full article

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.