Windigo

Z
  • 3 Bal '14

Rastas virusas užkrečiantis Linux serverius.
Detalus apra6ymas PDF formatu
A.1.1. Host-based Indicators

Mano Ubuntu 13.10 terminalo rezultatai.

donatas@Shinigami:~$ ssh -G
ssh: illegal option -- G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-e escape_char] [-F configfile]
           [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-R [bind_address:]port:host:hostport] [-S ctl_path]
           [-W host:port] [-w local_tun[:remote_tun]]
           [user@]hostname [command]
donatas@Shinigami:~$ $ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo “System clean” || echo “System infected”
“System infected”
W
  • 3 Bal '14

The command ssh -G has a different behaviour on a system with Linux/Ebury. A clean server will print

ssh: illegal option -- G

to stderr but an infected server will only print the typical “usage” message. One can use the following command to determine if the server he is on is compromised:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

http://www.welivesecurity.com/2014/02/2 ... inuxebury/

Man rodos pas tave viskas gerai.

T
Techtronic
Mindaugas N.
  • 1
  • 3 Bal '14

Daugiau testu kaip atpazinti Windigo malwara

Linux/Ebury
Parasius komanda terminale ssh -G rasys:

minde@pts/2:/home/minde:ssh -G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-p port]
           [-Q cipher | cipher-auth | mac | kex | key]
           [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] [user@]hostname [command]
minde@pts/2:255:/home/minde:

O turetu buti:

minde@pts/2:/home/minde:ssh -G
unknown option -- G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-p port]
           [-Q cipher | cipher-auth | mac | kex | key]
           [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] [user@]hostname [command]
minde@pts/2:255:/home/minde:

Arba tikrinti shared memory su komanda ipcs -m, bus vienas is segment su root teisemis 666.

Linux/Cdorked
Curl komanda jeigu kreipiesi i hostas/favicon.ico , tai redirektins i google. (keista )

Linux/Onimiki

Uzkreciamas naudojant bind, vieninteli buda radau kaip atpazinti tai naudojant jara rule:

rule onimiki
{
  meta:
    description = "Linux/Onimiki malicious DNS server"
    malware = "Linux/Onimiki"
    operation = "Windigo"
    author = "Olivier Bilodeau <bilodeau@eset.com>"
    created = "2014-02-06"
    reference = "http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf"

  strings:
    // code from offset: 0x46CBCD
    $a1 = {43 0F B6 74 2A 0E 43 0F B6 0C 2A 8D 7C 3D 00 8D}
    $a2 = {74 35 00 8D 4C 0D 00 89 F8 41 F7 E3 89 F8 29 D0}
    $a3 = {D1 E8 01 C2 89 F0 C1 EA 04 44 8D 0C 92 46 8D 0C}
    $a4 = {8A 41 F7 E3 89 F0 44 29 CF 29 D0 D1 E8 01 C2 89}
    $a5 = {C8 C1 EA 04 44 8D 04 92 46 8D 04 82 41 F7 E3 89}
    $a6 = {C8 44 29 C6 29 D0 D1 E8 01 C2 C1 EA 04 8D 04 92}
    $a7 = {8D 04 82 29 C1 42 0F B6 04 21 42 88 84 14 C0 01}
    $a8 = {00 00 42 0F B6 04 27 43 88 04 32 42 0F B6 04 26}
    $a9 = {42 88 84 14 A0 01 00 00 49 83 C2 01 49 83 FA 07}

  condition:
    all of them
}

kad patikrinti named.

yara test.yar /usr/sbin/named

Perl/Calfbot

Turetum matyti "/tmp " (space gale)

Placiau tame pdf'e is ESET.

W
  • 3 Bal '14

@zero_space rašė:
Rastas virusas užkrečiantis Linux serverius.
Detalus apra6ymas PDF formatu
A.1.1. Host-based Indicators

Mano Ubuntu 13.10 terminalo rezultatai.

donatas@Shinigami:~$ ssh -G
ssh: illegal option -- G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-e escape_char] [-F configfile]
           [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-R [bind_address:]port:host:hostport] [-S ctl_path]
           [-W host:port] [-w local_tun[:remote_tun]]
           [user@]hostname [command]
donatas@Shinigami:~$ $ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo “System clean” || echo “System infected”
“System infected”

Komandoje padarei klaida. Duodu tau uzduoti surasti ja kaip namu darbui.
Gera zinia viruso pas tave nera (ziurek mano posta),

G
  • 3 Bal '14

@windows rašė:

@zero_space rašė:
Rastas virusas užkrečiantis Linux serverius.
Detalus apra6ymas PDF formatu
A.1.1. Host-based Indicators

Mano Ubuntu 13.10 terminalo rezultatai.

donatas@Shinigami:~$ ssh -G
ssh: illegal option -- G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-e escape_char] [-F configfile]
           [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-R [bind_address:]port:host:hostport] [-S ctl_path]
           [-W host:port] [-w local_tun[:remote_tun]]
           [user@]hostname [command]
donatas@Shinigami:~$ $ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo “System clean” || echo “System infected”
“System infected”

Komandoje padarei klaida. Duodu tau uzduoti surasti ja kaip namu darbui.
Gera zinia viruso pas tave nera (ziurek mano posta),

Pakeisk savo:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

taip:

ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "Geros naujienos" || echo "Blogos naujienos"

Atkreipk dėmesį į $ simbolį.

@windows rašė:
Gera zinia viruso pas tave nera (ziurek mano posta),

Beje, tokie pasisakymai, kaip viršuj - nieko gera nežada..
Visada ieškok problemos šaknų.