Against XorDdos, Microsoft has the necessary weapons: Microsoft Edge and Microsoft Defender Antivirusprincipally.
XorDdos, a botnet that attacks Linux machines and first discovered in 2014, has been rampant since late 2021. Microsoft says it has seen a 254% increase in activity over the past six months. No need to panic, however, since the Redmond giant has the parade: use its Edge browser, among others.
The threat…
The article published by Microsoft, very qualitative moreover, specifies that XorDdos targets Linux-based operating systems, commonly deployed for cloud infrastructures and Internet of Things (IoT) devices. It thus forms a network of zombie machines that can be used to carry out DDoS (distributed denial of service) attacks. These attacks are getting more and more intense. Microsoft recalls that of 2.4 Tbps perpetrated in August 2021, to which we can add that of 3.47 Tbps orchestrated in November of the same year. The network of zombie machines of XorDdos is not limited to this type of attack, however, it is also used to carry out brute force attacks on Secure Shell (SSH) servers.
To make matters worse, XorDdos benefits from evasion and persistence mechanics that allow it to remain both stealthy and active. The article details:
Its evasion capabilities include concealing malware activities, circumventing rule-based detection mechanisms and hash-based malicious file searching as well as using anti-forensic techniques to break malware-based scanning. process tree. We have observed in recent campaigns that XorDdos conceals malicious activity from scanning by overwriting sensitive files with a null byte. It also includes various persistence mechanisms to support different Linux distributions.
In addition to the inconveniences and threats induced by this type of attack, Microsoft reports having observed that the “ devices first infected with XorDdos were later infected with other malware such as the Tsunami backdoor, which then deploys the XMRig miner “. The team clarifies that they have not observed XorDdos directly installing and distributing secondary programs like Tsunami, but believe that it is used well to deploy malware.
The parades…
First, Microsoft delivers the result of its analysis of XorDdos to help administrators understand the mechanisms and protect their networks. In a second, the team makes some recommendations. She takes the opportunity to praise Microsoft solutions that are, according to her, capable of protecting Linux systems against the XorDdos threat.
The article thus urges Linux users to adopt Microsoft Edge or any other browser that supports Microsoft Defender SmartScreen.
It also urges to fight against XorDdos with Microsoft Defender for Linux endpoint, especially using the device discovery feature (mapping devices in a network).
Finally, Microsoft encourages the use of Microsoft Defender Antivirus or at least Block Endpoint Detection and Response (PEPT). For devices running Microsoft Defender as the primary antivirus, ” Block PEPT provides an additional layer of defense by allowing Microsoft Defender to take automatic actions on post-breach behavioral PEPT detections “. For those who don’t have Microsoft Defender Antivirus as their primary antivirus product, PEPT runs in passive mode and works in the background to fix detected malicious artifacts.
On the same subject :
These two critical flaws were exploited by state hackers
Source : Microsoft
4