Akamai’s Security Intelligence Response Team announced it is tracking XOR DDoS, a Trojan malware attackers use to hijack Linux machines to include within a botnet.
To date, the bandwidth of DDoS (distributed denial of service) attacks coming from the XOR DDoS botnet has ranged from a few gigabits per second to 150+ Gbps.
The gaming sector is the primary target, followed by educational institutions.
The botnet is attacking up to 20 targets per day, 90% of which are in Asia. Akamai recently mitigated two DDoS attacks orchestrated by the XOR DDoS botnet – one of 50Gbps, and the other of 100Gbps.
Other recent examples of Linux-based malware includes the Spike DDoS toolkit (which also targeted Windows machines) and IptabLes and IptabLex malware.
There are an increasing number of Linux vulnerabilities for malicious actors to target, such as the heap-based buffer overflow vulnerability found earlier in 2015 in the GNU C library. However, XOR DDoS does not exploit a specific vulnerability.
SIRT’s research indicates the malware is of Asian origin, based on the command-and- control (C2) IP addresses and source IP addresses of the attack payloads.
The malware does not spread via a host vulnerability. Rather, it populates via Secure Shell (SSH) services that are susceptible to brute-force attacks due to weak passwords.
Once login credentials have been acquired, the attackers uses root privileges to run a Bash shell script that downloads and executes the malicious binary.