Operation Windigo 是設計成可以劫持(木馬、後門) Server, 被 植入 / 駭客(crack) 的系統會被用來發送 Spam Mail, 竊取資料等等.
Windigo 入侵時間長達 3年+, 綁架超過 50萬台電腦 + 25000 台 UNIX Server, 而且 cPanel 和 kernel.org 都中獎, 範圍非常驚人.
由下述新聞可以看到影響範圍有多廣, 下述摘錄自此篇: APT 潛伏 UNIX 三年!25,000 伺服器後門全開
專家將這次攻擊行動稱為「Operation Windigo」(下簡稱 Windigo)。
專家指 Windigo 具有高複雜度的惡意程式,複雜的結構設計可劫持伺服器。受影響的系統會不斷發送 Spam 電郵、開啟後門程式及竊取企業資訊等。Windigo 已散播全球各地,入侵並控制了超過 25,000 部 UNIX 機,當中包括 cPanel 及 kernel.org。
下述摘錄自此篇: THN » Operation Windigo: Linux malware campaign that infected 500,000 Computers Worldwide
If your system or server was also compromised in the same campaign, it's recommended to re-install the system or re-set all passwords and private OpenSSH keys.
如何檢測系統是否有被植入 Windigo
- Windigo 的滲透方式、檢測可見此 PDF: ESET’s detailed technical paper about "Operation Windigo"
Windigo 的程式影響有下述幾種:
- Linux/Ebury
- Linux/Cdorked
- Linux/Onimiki
- Perl/Calfbot
系統檢測方式如下, 下述取自此上述 PDF 文件: (P.58 ~ 69)
Linux/Ebury
- SSH 檢查
- 一般輸入 $ ssh -G 應該會出現下述訊息:
- ssh: illegal option -- G # 或 ssh: unknown option -- G
- 檢測可使用此行:
- $ ssh -G 2>&1 | grep -e illegal -e unknown -e -Gg > /dev/null && echo "System clean" || echo "System infected"
- 出現 'ssh: illegal option -- G' 和 'ssh: unknown option -- G' 都是對的, 沒出現就要準備重灌了.
- 由記憶體檢測
- Shared Memory Inspection
- # ipcs -m
------ Shared Memory Segments --------
key shmid owner perms bytes nattch
0x00000000 0 root 644 80 2
0x00000000 32769 root 644 16384 2
0x00000000 65538 root 644 280 2
0x000010e0 465272836 root 666 3282312 0 - # ipcs -m -p
------ Shared Memory Creator/Last-op PIDs --------
shmid owner cpid lpid
0 root 4162 4183
32769 root 4162 4183
65538 root 4162 4183
465272836 root 15029 17377 - # ps aux | grep <pid> # 看看是不是 root 跑 sshd, shared memory segments > 3M (3145728 bytes), 而且權限是 666
root 11531 0.0 0.0 103284 828 pts/0 S+ 16:40 0:00 grep 15029
root 15029 0.0 0.0 66300 1204 ? Ss Jan26 0:00 /usr/sbin/sshd
Linux/Cdorked
- $ curl -i http://myserver/favicon.iso | grep "Location:"
Location: http://google.com/
Perl/Calfbot
- flock --nb /tmp/... echo "System clean" || echo "System infected" # 若出現 System infected, 再繼續下述兩行
- lsof /tmp/...
- pgrep -x "crond" | xargs -I '{}' ls -la "/proc/{}/exe" # 若沒有安裝 pgrep (package: procps ), 可改用下述:
- ps -ef | grep crond | grep -v grep | awk '{print $2 }'
使用 TCPDump 來查看網路狀態
於系統使用 # tcpdump -p # 看到下述就是異常
Linux/Ebury
content:”SSH-2.0-”; depth:8; isdataat:22,relative; pcre:”/^[0-9a-f]{22,46}/R”;
reference:url,http://www.welivesecurity.com/wpcontent/uploads/2014/03/
operation_windigo.pdf; reference:url,https://github.com/eset/malware-ioc;
classtype:trojan-activity; sid:1000001; rev:3;)
# The following Snort rule for detecting Linux/Ebury infected machines
# sending harvested credentials to a dropzone server has been provided by
# CERT-Bund
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:”Linux/Ebury SSH backdoor data
exfiltration”; content:”|12 0b 01 00 00 01|”; depth:6; pcre:”/^\x12\x0b\x01\
x00\x00\x01[\x00]{6}.[af0-9]{6,}(([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\
x01Bs”; reference:url,http://www.welivesecurity.com/wp-content/uploads/2014/03/
operation_windigo.pdf; reference:url,https://github.com/eset/malware-ioc;
reference:url,https://www.cert-bund.de/ebury-faq; classtype:trojan-activity;
sid:1000002; rev:1;)
Linux/Cdorked
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:”Linux/
Cdorked is being configured by C&C”; flow:established,to_server;
content:”POST”; content:”SECID=”; http_cookie; pcre:”/\?[0-9a-f]
{6} HTTP/”; reference:url,http://www.welivesecurity.com/wp-content/
uploads/2014/03/operation_windigo.pdf; reference:url,https://
github.com/eset/malware-ioc; classtype:trojan-activity; sid:1000003;
rev:2;)
Linux/Onimiki
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:”Linux/Onimiki
DNS trojan activity long format (Inbound)”; byte_test:1,!
&,128,2; content:”|00 01 00 00 00 00 00 00 38|”; offset:4;
depth:9; pcre:”/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[az0-
9\-_]+\x00\x00\x01\x00\x01/Rsi”; reference:url,http://
www.welivesecurity.com/wp-content/uploads/2014/03/
operation_windigo.pdf; reference:url,https://github.com/eset/malwareioc;
classtype:trojan-activity; sid:1000004; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:”Linux/Onimiki DNS trojan
activity long format (Outbound)”; byte_test:1,!&,128,2; content:”|
00 01 00 00 00 00 00 00 38|”; offset:4; depth:9; pcre:”/^[a-z0-9]
{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00\x01\x00\x01/
Rsi”; reference:url,http://www.welivesecurity.com/wp-content/
uploads/2014/03/operation_windigo.pdf; reference:url,https://
github.com/eset/malware-ioc; classtype:trojan-activity; sid:1000005;
rev:1;)
Perl/Calfbot
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:”Perl/Calfbot C&C
DNS request”; content:”|01 00 00 01 00 00 00 00 00 00|”; depth:10;
offset:2; content:”|0a|vqvsaergek|04|info|00|”; fast_pattern;
nocase; distance:0; reference:url,http://www.welivesecurity.com/wpcontent/
uploads/2014/03/operation_windigo.pdf; reference:url,https://
github.com/eset/malware-ioc; classtype:trojan-activity; sid:1000006;
rev:2;)
檢查 Library 有沒有被竄改
- $ md5sum `find /lib/ | grep libkeyutils` # Hash 值 於 PDF 的 P.68 ~ 69 查看, 希望不要於 PDF 看到你的 Hash 值~
檢測指令
ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
此檢測指令有缺陷,一个真正的 -G选项已添加在openssh 6.8P1中。
修正過後的檢測指令
ssh -G 2>&1 | grep -e illegal -e unknown -e Gg > /dev/null && echo "System clean" || echo "System infected"
感謝指正,已修正