In recent months, Microsoft has seen a 254% increase in the activity of Xor DDoS, a network of infected Linux machines about eight years old. The latter, as its name suggests, is used to carry out distributed denial of service (DDoS) attacks.
Xor DDoS conducts automated password stuffing attacks on thousands of Linux servers to find administrative passwords used on Secure Shell (SSH) servers. SSH is a secure network communication protocol commonly used for remote system administration.
Once the credentials are obtained, the botnet uses administrator (root) privileges to install itself on a Linux device and uses XOR encryption to communicate with the attacker’s command and control infrastructure.
A very active malware under Linux
While DDoS attacks pose a serious threat to system availability and grow every year, Microsoft is concerned about the other capabilities of these infected computer networks.
“We found that devices first infected with Xor DDoS were later infected with other malware like the Tsunami backdoor, which additionally deploys XMRig cryptocurrency mining software,” notes the software giant.
According to Crowdstrike, Xor DDoS was one of the most active Linux malware families in 2021. This malware thrived on the growth of IoT (internet of things) devices, which mostly run Linux variants. But they also targeted misconfigured Docker clusters in the cloud. Other major malware families targeting IoT devices include Mirai and Mozi.
The malware could be used for further malicious activities
Microsoft has not seen Xor DDoS directly install and distribute the Tsunami backdoor, but its researchers believe the malware is used as a vector for subsequent malicious activity.
XorDdos may conceal its activities from common detection techniques. In a recent campaign, Microsoft saw it overwrite sensitive files.
“Its evasion capabilities include concealing malware activities, circumventing rule-based detection mechanisms and hash-based malicious file scans, as well as using anti-forensic techniques to counter malware-based scans. on the process tree. We have observed in recent campaigns that Xor DDoS conceals its malicious activities by overwriting sensitive files with a null byte. It also includes various persistence mechanisms to support different Linux distributions.
Xor DDoS runs in the background
The Xor DDoS payload analyzed by Microsoft is a 32-bit ELF file in Linux format, with a modular binary written in C/C++. Microsoft notes that it uses a daemon process that runs in the background, outside of users’ control, and terminates when the system is shut down.
But the malware can automatically relaunch itself when the system is restarted, thanks to several scripts and commands that make it run automatically at system startup.
Xor DDoS can perform multiple DDoS attack techniques, including SYN flood attacks, DNS attacks, and ACK flood attacks.
It collects characteristics of an infected device including operating system version, malware version, presence of rootkit, memory statistics, CPU information and local network speed which is encrypted then sent to the control server.
Source“: ZDNet.com