如何檢測系統是否有被植入 Windigo

Operation Windigo 是設計成可以劫持(木馬、後門) Server, 被 植入 / 駭客(crack) 的系統會被用來發送 Spam Mail, 竊取資料等等.

Windigo 入侵時間長達 3年+, 綁架超過 50萬台電腦 + 25000 台 UNIX Server, 而且 cPanel 和 kernel.org 都中獎, 範圍非常驚人.

由下述新聞可以看到影響範圍有多廣, 下述摘錄自此篇: APT 潛伏 UNIX 三年！25,000 伺服器後門全開

專家將這次攻擊行動稱為「Operation Windigo」(下簡稱 Windigo)。

專家指 Windigo 具有高複雜度的惡意程式，複雜的結構設計可劫持伺服器。受影響的系統會不斷發送 Spam 電郵、開啟後門程式及竊取企業資訊等。Windigo 已散播全球各地，入侵並控制了超過 25,000 部 UNIX 機，當中包括　cPanel 及 kernel.org。

下述摘錄自此篇: THN » Operation Windigo: Linux malware campaign that infected 500,000 Computers Worldwide

If your system or server was also compromised in the same campaign, it's recommended to re-install the system or re-set all passwords and private OpenSSH keys.

如何檢測系統是否有被植入 Windigo

主要新聞可見此篇: OPERATION WINDIGO: Malware Used To Attack Over 500,000 Computers Daily After 25,000 UNIX Servers Hijacked By Backdoor Trojan

• Windigo 的滲透方式、檢測可見此 PDF: ESET’s detailed technical paper about "Operation Windigo"

Windigo 的程式影響有下述幾種:

• Linux/Ebury
• Linux/Cdorked
• Linux/Onimiki
• Perl/Calfbot

系統檢測方式如下, 下述取自此上述 PDF 文件: (P.58 ~ 69)

Linux/Ebury

• SSH 檢查
  1. 一般輸入 $ ssh -G 應該會出現下述訊息:
  2. ssh: illegal option -- G # 或 ssh: unknown option -- G
  3. 檢測可使用此行:
  4. $ ssh -G 2>&1 | grep -e illegal -e unknown -e -Gg > /dev/null && echo "System clean" || echo "System infected"
  5. 出現 'ssh: illegal option -- G' 和 'ssh: unknown option -- G' 都是對的, 沒出現就要準備重灌了.
• 由記憶體檢測
  1. Shared Memory Inspection
  2. # ipcs -m
     ------ Shared Memory Segments --------
     key shmid owner perms bytes nattch
     0x00000000 0 root 644 80 2
     0x00000000 32769 root 644 16384 2
     0x00000000 65538 root 644 280 2
     0x000010e0 465272836 root 666 3282312 0
  3. # ipcs -m -p
     ------ Shared Memory Creator/Last-op PIDs --------
     shmid owner cpid lpid
     0 root 4162 4183
     32769 root 4162 4183
     65538 root 4162 4183
     465272836 root 15029 17377
  4. # ps aux | grep <pid> # 看看是不是 root 跑 sshd, shared memory segments > 3M (3145728 bytes), 而且權限是 666
     root 11531 0.0 0.0 103284 828 pts/0 S+ 16:40 0:00 grep 15029
     root 15029 0.0 0.0 66300 1204 ? Ss Jan26 0:00 /usr/sbin/sshd

Linux/Cdorked

1. $ curl -i http://myserver/favicon.iso | grep "Location:"
   Location: http://google.com/

Perl/Calfbot

1. flock --nb /tmp/... echo "System clean" || echo "System infected" # 若出現 System infected, 再繼續下述兩行
2. lsof /tmp/...
3. pgrep -x "crond" | xargs -I '{}' ls -la "/proc/{}/exe" # 若沒有安裝 pgrep (package: procps ), 可改用下述:
4. ps -ef | grep crond | grep -v grep | awk '{print $2 }'

使用 TCPDump 來查看網路狀態

於系統使用 # tcpdump -p # 看到下述就是異常

Linux/Ebury

content:”SSH-2.0-”; depth:8; isdataat:22,relative; pcre:”/^[0-9a-f]{22,46}/R”;
reference:url,http://www.welivesecurity.com/wpcontent/uploads/2014/03/
operation_windigo.pdf; reference:url,https://github.com/eset/malware-ioc;
classtype:trojan-activity; sid:1000001; rev:3;)
# The following Snort rule for detecting Linux/Ebury infected machines
# sending harvested credentials to a dropzone server has been provided by
# CERT-Bund
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:”Linux/Ebury SSH backdoor data
exfiltration”; content:”|12 0b 01 00 00 01|”; depth:6; pcre:”/^\x12\x0b\x01\
x00\x00\x01[\x00]{6}.[af0-9]{6,}(([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\
x01Bs”; reference:url,http://www.welivesecurity.com/wp-content/uploads/2014/03/
operation_windigo.pdf; reference:url,https://github.com/eset/malware-ioc;
reference:url,https://www.cert-bund.de/ebury-faq; classtype:trojan-activity;
sid:1000002; rev:1;)

Linux/Cdorked

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:”Linux/
Cdorked is being configured by C&C”; flow:established,to_server;
content:”POST”; content:”SECID=”; http_cookie; pcre:”/\?[0-9a-f]
{6} HTTP/”; reference:url,http://www.welivesecurity.com/wp-content/
uploads/2014/03/operation_windigo.pdf; reference:url,https://
github.com/eset/malware-ioc; classtype:trojan-activity; sid:1000003;
rev:2;)

Linux/Onimiki

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:”Linux/Onimiki
DNS trojan activity long format (Inbound)”; byte_test:1,!
&,128,2; content:”|00 01 00 00 00 00 00 00 38|”; offset:4;
depth:9; pcre:”/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[az0-
9\-_]+\x00\x00\x01\x00\x01/Rsi”; reference:url,http://
www.welivesecurity.com/wp-content/uploads/2014/03/
operation_windigo.pdf; reference:url,https://github.com/eset/malwareioc;
classtype:trojan-activity; sid:1000004; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:”Linux/Onimiki DNS trojan
activity long format (Outbound)”; byte_test:1,!&,128,2; content:”|
00 01 00 00 00 00 00 00 38|”; offset:4; depth:9; pcre:”/^[a-z0-9]
{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00\x01\x00\x01/
Rsi”; reference:url,http://www.welivesecurity.com/wp-content/
uploads/2014/03/operation_windigo.pdf; reference:url,https://
github.com/eset/malware-ioc; classtype:trojan-activity; sid:1000005;
rev:1;)

Perl/Calfbot

alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:”Perl/Calfbot C&C
DNS request”; content:”|01 00 00 01 00 00 00 00 00 00|”; depth:10;
offset:2; content:”|0a|vqvsaergek|04|info|00|”; fast_pattern;
nocase; distance:0; reference:url,http://www.welivesecurity.com/wpcontent/
uploads/2014/03/operation_windigo.pdf; reference:url,https://
github.com/eset/malware-ioc; classtype:trojan-activity; sid:1000006;
rev:2;)

檢查 Library 有沒有被竄改

1. $ md5sum `find /lib/ | grep libkeyutils` # Hash 值 於 PDF 的 P.68 ~ 69 查看, 希望不要於 PDF 看到你的 Hash 值~

相關新聞

• Windigo Malware – Coming to a Linux Server Near You | CyberArk
• ESET：Windigo駭客行動綁架全球25000台伺服器 | iThome