Updated Ebury IoCs for v1.5 and v1.6

windigo/README.adoc

@@ -2,11 +2,10 @@
 
 [NOTE]
 ====
-*UPDATE*: As we expected, the malicious group is monitoring our indicators of
-compromise and is evading them in updates to their threats. Most of the
-indicators below no longer work. We encourage you to contact us at
-windigo@eset.sk if you think you are infected.
-
+*UPDATE 2017-10-30*: This documents now contains the latest IOCs for version
+1.5 and 1.6 of Linux/Ebury. Look at section "Linux/Ebury 1.5-1.6" of the
+host-based indicators and "Ebury v1.6 DGA" in the network-based IOCs to get
+them.
 ====
 
 These IOCs were released as part of our extensive research on this large
@@ -39,7 +38,85 @@ at: windigo@eset.sk.
 
 == Host-based Indicators
 
-=== Linux/Ebury
+=== Linux/Ebury v1.5 and 1.6
+
+==== Detection techniques
+
+Ebury uses an abstract UNIX socket to communicate with an external process
+that will be responsible for data exfiltration. In most cases, the socket name
+begins with `/tmp/dbus-`. The real dbus can create a socket using the same
+pattern. However, when Ebury does this with processes not related to the
+legitimate dbus. If the following command outputs something, it is suspicious:
+
+----
+$ lsof -U | grep -F @/tmp/dbus- | grep -v ^dbus
+----
+
+Here's a list of the processes we know Ebury uses as an exfiltration agent:
+
+- auditd
+- crond
+- anacron
+- arpd
+- acpid
+- rsyslogd
+- udevd
+- systemd-udevd
+- atd
+- hostname
+- sync
+
+On CentOS/Redhat, having a libkeyutils.so* file in `/lib/tls` or `/lib64/tls` is
+suspicious.
+
+Running `objdump -x libkeyutils.so.1` (or `readelf -d libkeyutils.so.1`) will
+print the dynamic section of the ELF header. Anything NEEDED (type 1) other
+than libc or libdl is suspicious.
+
+----
+$ objdump -x /lib64/libkeyutils.so.1 | grep NEEDED | grep -v -F -e libdl.so -e libc.so
+----
+
+In case your machine is infected with an Ebury version with the userland
+rootkit, there's many ways to detect that it is the case. Since Ebury inject
+itself using the dynamic linker `LD_PRELOAD` environment variable, we can use
+some other environment variable used to trace the dynamic linking process. If
+libkeyutils is loaded in some process where it shouldn't be, it is very likely
+that the system is infected with a rootkit-enabled version of Ebury. If the
+following command raises result, it is very suspicious:
+
+----
+$ LD_DEBUG=symbols /bin/true 2>&1 | grep libkeyutils
+----
+
+==== File hashes
+
+[options="header"]
+|====
+| SHA-1                                    | filename           | version
+| 5c796dc566647dd0db74d5934e768f4dfafec0e5 | libns2.so          | 1.5.0
+| 615c6b022b0fac1ff55c25b0b16eb734aed02734 | <Unknown>          | 1.5.1
+| d4eeada3d10e76a5755c6913267135a925e195c6 | libns5.so          | 1.5.1c
+| 27ed035556abeeb98bc305930403a977b3cc2909 | libpw3.so          | 1.5.1d
+| 2f382e31f9ef3d418d31653ee124c0831b6c2273 | libpw5.so          | 1.5.1e
+| 7248e6eada8c70e7a468c0b6df2b50cf8c562bc9 | libpw5.so          | 1.5.1f
+| e8d3c369a231552081b14076cf3eaa8901e6a1cd | <libkeyutils lib>  | 1.5.5
+| 1d3aafce8cd33cf51b70558f33ec93c431a982ef | <libkeyutils lib>  | 1.5.5
+| a559ee8c2662ee8f3c73428eaf07d4359958cae1 | <libkeyutils lib>  | 1.5.5c
+| 17c40a5858a960afd19cc02e07d3a5e47b2ab97a | libslr.so          | 1.5.6dp
+| eb352686d1050b4ab289fe8f5b78f39e9c85fb55 | libkeyutils.so.1.5 | 1.5.6d
+| 44b340e90edba5b9f8cf7c2c01cb4d45dd25189e | libkeyutils.so.1.5 | 1.6.2a
+| e8d392ae654f62c6d44c00da517f6f4f33fe7fed | libsbr.so          | 1.6.2gp
+| b58725399531d38ca11d8651213b4483130c98e2 | libsbr.so          | 1.6.2gp
+
+=== Linux/Ebury v1.4 and earlier
+
+[NOTE]
+====
+*UPDATE*: As we expected, the malicious group is monitoring our indicators of
+compromise and is evading them in updates to their threats. Ebury v1.4 is no
+longer deployed and most of the indicators below no longer work.
+====
 
 We will provide two means of identifying the presence of the OpenSSH backdoor.
 A quick one that relies on the presence of a feature added by the malware to
@@ -331,6 +408,32 @@ generation.
 |   10 | abo0u6ach9k3w.net
 |============================
 
+.Ebury v1.6 DGA
+[align="right,left", options="header"]
+|============================
+| seed | domain
+| 1    | larfj7g1vaz3y.net
+| 2    | idkff7m1lac3g.biz
+| 3    | u2s0k8d1ial3r.info
+| 4    | h9g0q8a1hat3s.net
+| 5    | f2y1j8v1saa3t.biz
+| 6    | xdc1h8n1baw3m.info
+| 7    | raj2p8z1aae3b.net
+| 8    | o9f3v8r1oaj3p.biz
+| 9    | tav4h8n1baw3r.info
+| 10   | hdm5o8e1tas3n.net
+| 11   | v2a7q8a1hat3u.biz
+| 12   | z9w8l8k1zaf3g.info
+| 13   | y2fad8b1gak3f.net
+| 14   | odrbz8i1jap3e.biz
+| 15   | uajdm8w1kax3j.info
+| 16   | c9xfb8u1cad3m.net
+| 17   | fas1k9i1jap3u.biz
+| 18   | zdm3u9x1fag3i.info
+| 19   | b2z6m9k1zaf3v.net
+| ...  | ...
+|============================
+
 === Linux/Cdorked
 
 `windigo-cdorked.rules`