如何檢測系統是否有被植入 Windigo

Operation Windigo 是設計成可以劫持(木馬、後門) Server, 被 植入 / 駭客(crack) 的系統會被用來發送 Spam Mail, 竊取資料等等.

Windigo 入侵時間長達 3年+, 綁架超過 50萬台電腦 + 25000 台 UNIX Server, 而且 cPanel 和 kernel.org 都中獎, 範圍非常驚人.

由下述新聞可以看到影響範圍有多廣, 下述摘錄自此篇: APT 潛伏 UNIX 三年!25,000 伺服器後門全開

專家將這次攻擊行動稱為「Operation Windigo」(下簡稱 Windigo)。

專家指 Windigo 具有高複雜度的惡意程式,複雜的結構設計可劫持伺服器。受影響的系統會不斷發送 Spam 電郵、開啟後門程式及竊取企業資訊等。Windigo 已散播全球各地,入侵並控制了超過 25,000 部 UNIX 機,當中包括 cPanel 及 kernel.org。

下述摘錄自此篇: THN » Operation Windigo: Linux malware campaign that infected 500,000 Computers Worldwide

If your system or server was also compromised in the same campaign, it's recommended to re-install the system or re-set all passwords and private OpenSSH keys.

如何檢測系統是否有被植入 Windigo

主要新聞可見此篇: OPERATION WINDIGO: Malware Used To Attack Over 500,000 Computers Daily After 25,000 UNIX Servers Hijacked By Backdoor Trojan

Windigo 的程式影響有下述幾種:

  • Linux/Ebury
  • Linux/Cdorked
  • Linux/Onimiki
  • Perl/Calfbot

系統檢測方式如下, 下述取自此上述 PDF 文件: (P.58 ~ 69)

Linux/Ebury

  • SSH 檢查
    1. 一般輸入 $ ssh -G 應該會出現下述訊息:
    2. ssh: illegal option -- G # 或 ssh: unknown option -- G
    3. 檢測可使用此行:
    4. $ ssh -G 2>&1 | grep -e illegal -e unknown -e -Gg > /dev/null && echo "System clean" || echo "System infected"
    5. 出現 'ssh: illegal option -- G' 和 'ssh: unknown option -- G' 都是對的, 沒出現就要準備重灌了.
  • 由記憶體檢測
    1. Shared Memory Inspection
    2. # ipcs -m
      ------ Shared Memory Segments --------
      key shmid owner perms bytes nattch
      0x00000000 0 root 644 80 2
      0x00000000 32769 root 644 16384 2
      0x00000000 65538 root 644 280 2
      0x000010e0 465272836 root 666 3282312 0
    3. # ipcs -m -p
      ------ Shared Memory Creator/Last-op PIDs --------
      shmid owner cpid lpid
      0 root 4162 4183
      32769 root 4162 4183
      65538 root 4162 4183
      465272836 root 15029 17377
    4. # ps aux | grep <pid> # 看看是不是 root 跑 sshd, shared memory segments > 3M (3145728 bytes), 而且權限是 666
      root 11531 0.0 0.0 103284 828 pts/0 S+ 16:40 0:00 grep 15029
      root 15029 0.0 0.0 66300 1204 ? Ss Jan26 0:00 /usr/sbin/sshd

Linux/Cdorked

  1. $ curl -i http://myserver/favicon.iso | grep "Location:"
    Location: http://google.com/

Perl/Calfbot

  1. flock --nb /tmp/... echo "System clean" || echo "System infected" # 若出現 System infected, 再繼續下述兩行
  2. lsof /tmp/...
  3. pgrep -x "crond" | xargs -I '{}' ls -la "/proc/{}/exe" # 若沒有安裝 pgrep (package: procps ), 可改用下述:
  4. ps -ef | grep crond | grep -v grep | awk '{print $2 }'

使用 TCPDump 來查看網路狀態

於系統使用 # tcpdump -p # 看到下述就是異常

Linux/Ebury

content:”SSH-2.0-”; depth:8; isdataat:22,relative; pcre:”/^[0-9a-f]{22,46}/R”;
reference:url,http://www.welivesecurity.com/wpcontent/uploads/2014/03/
operation_windigo.pdf; reference:url,https://github.com/eset/malware-ioc;
classtype:trojan-activity; sid:1000001; rev:3;)
# The following Snort rule for detecting Linux/Ebury infected machines
# sending harvested credentials to a dropzone server has been provided by
# CERT-Bund
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:”Linux/Ebury SSH backdoor data
exfiltration”; content:”|12 0b 01 00 00 01|”; depth:6; pcre:”/^\x12\x0b\x01\
x00\x00\x01[\x00]{6}.[af0-9]{6,}(([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\
x01Bs”; reference:url,http://www.welivesecurity.com/wp-content/uploads/2014/03/
operation_windigo.pdf; reference:url,https://github.com/eset/malware-ioc;
reference:url,https://www.cert-bund.de/ebury-faq; classtype:trojan-activity;
sid:1000002; rev:1;)

Linux/Cdorked

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:”Linux/
Cdorked is being configured by C&C”; flow:established,to_server;
content:”POST”; content:”SECID=”; http_cookie; pcre:”/\?[0-9a-f]
{6} HTTP/”; reference:url,http://www.welivesecurity.com/wp-content/
uploads/2014/03/operation_windigo.pdf; reference:url,https://
github.com/eset/malware-ioc; classtype:trojan-activity; sid:1000003;
rev:2;)

Linux/Onimiki

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:”Linux/Onimiki
DNS trojan activity long format (Inbound)”; byte_test:1,!
&,128,2; content:”|00 01 00 00 00 00 00 00 38|”; offset:4;
depth:9; pcre:”/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[az0-
9\-_]+\x00\x00\x01\x00\x01/Rsi”; reference:url,http://
www.welivesecurity.com/wp-content/uploads/2014/03/
operation_windigo.pdf; reference:url,https://github.com/eset/malwareioc;
classtype:trojan-activity; sid:1000004; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:”Linux/Onimiki DNS trojan
activity long format (Outbound)”; byte_test:1,!&,128,2; content:”|
00 01 00 00 00 00 00 00 38|”; offset:4; depth:9; pcre:”/^[a-z0-9]
{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00\x01\x00\x01/
Rsi”; reference:url,http://www.welivesecurity.com/wp-content/
uploads/2014/03/operation_windigo.pdf; reference:url,https://
github.com/eset/malware-ioc; classtype:trojan-activity; sid:1000005;
rev:1;)

Perl/Calfbot

alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:”Perl/Calfbot C&C
DNS request”; content:”|01 00 00 01 00 00 00 00 00 00|”; depth:10;
offset:2; content:”|0a|vqvsaergek|04|info|00|”; fast_pattern;
nocase; distance:0; reference:url,http://www.welivesecurity.com/wpcontent/
uploads/2014/03/operation_windigo.pdf; reference:url,https://
github.com/eset/malware-ioc; classtype:trojan-activity; sid:1000006;
rev:2;)

檢查 Library 有沒有被竄改

  1. $ md5sum `find /lib/ | grep libkeyutils` # Hash 值 於 PDF 的 P.68 ~ 69 查看, 希望不要於 PDF 看到你的 Hash 值~

相關新聞

作者: Tsung

對新奇的事物都很有興趣, 喜歡簡單的東西, 過簡單的生活.

在〈如何檢測系統是否有被植入 Windigo〉中有 2 則留言

  1. 檢測指令
    ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
    此檢測指令有缺陷,一个真正的 -G选项已添加在openssh 6.8P1中。
    修正過後的檢測指令
    ssh -G 2>&1 | grep -e illegal -e unknown -e Gg > /dev/null && echo "System clean" || echo "System infected"

發表迴響

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料