The activity of the Linux malware XorDDos increased by 254%


XORDDoS was first spotted in 2014. This is a Linux malware that formed a botnet for massive DDoS attacks on gaming and educational sites. XorDDos is able to obfuscate its activities, which helps to bypass rule-based detection mechanisms and search for malicious files by hash. Also, the malware uses effective protection methods, which allows you to get away from forensis.

Over the past six months, Microsoft experts have noted a 254% increase in XorDDos-related activity.

A graph of the growth of XorDDos-related activity.

Basically, XorDDos is distributed using SSH brute force. It uses a shell script to iterate through combinations of credentials on thousands of servers.

Microsoft experts have identified two methods of initial XorDDos access to victims’ systems:

  • The first method is copying the malicious ELF file to the temporary file storage /dev/shm with its subsequent execution.

  • The second method is executing a bash script that executes a sequence of actions via the command line.

XorDDos uses various mechanisms to secure victims in systems, including init and cron scripts, setting the default system startup level, and using symlinks pointing to scripts that should be executed at the desired system startup level.

The report concludes that XorDDos is a universal Trojan capable of infecting various architectures of Linux systems. His SSH brute force is a relatively simple but effective attack to gain root access in the victim’s system. In addition to all this, the malware is able to install rootkits and embed other malicious payloads into the attacked system.

Start a discussion …