Attackers have used malware that specifically targets Linux machines to build an huge DDoS botnet capable of launching attacks of 150 Gbps and higher, as Akamai Security Intelligence Response Team (SIRT) reports. Security response team from Akamai Technologies have observed several such attacks recently and a lot of them are being targeted at online gaming companies and the education sector.
Advertisement
Believed to be of Asian origin, the botnet is known to target as many as 20 victims per day 90 per cent of which are believed to be companies located in Asia.
Unlike typical vulnerability exploiting mechanism, this botnet is spreading by targeting Linux devices of all flavours – even embedded – by guessing their SSH root passwords employing brute force mechanism. The biggest recorded DDoS attacks have hit 400Gbps.
If you have annoying Linux friends that like to brag about how Linux has no viruses, this might be the ideal time to mention XOR, along with the Spike DDoS toolkit, and the IptabLes and IptabLex malware. “A few of the source IPs that we are seeing actively producing malicious traffic have spoofing capabilities”. “XOR DDoS is an example of attackers switching focus and building botnets using compromised Linux systems to launch DDoS attacks”.
The presence of XOR DDoS can be detected in two ways.
Advertisement
The botnet revolves around the XOR trojan, a malware first observed in the wild in September 2014 by the Malware Must Die group. To detect this botnet in a network, look for communications between a bot and its C2 using a Snort rule provided in the advisory. “To detect infection of this malware on your hosts you can use the YARA rule [also in the advisory]”. Removing the threat involves identifying malicious files in two directories, identifying the processes responsible for persistence of the main process, killing those processes, and deleting the malicious files. To learn more about the threat, malware removal and DDoS mitigation techniques, please download a complimentary copy of the threat advisory at www.stateoftheinternet.com/xorddos.
