Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Linux XOR DDoS Botnet Flexes Muscles With 150+ Gbps Attacks

XOR DDoS Botnet Pounds Organizations in Asia

Akamai Technologies shared new details on Tuesday of an existing botnet that is now capable of launching 150+ gigabit-per-second (Gbps) DDoS attacks from Linux systems infected by the XOR DDoS Trojan.

XOR DDoS Botnet Pounds Organizations in Asia

Akamai Technologies shared new details on Tuesday of an existing botnet that is now capable of launching 150+ gigabit-per-second (Gbps) DDoS attacks from Linux systems infected by the XOR DDoS Trojan.

The XOR DDoS malware was first discovered in September 2014 by the Malware Must Die research group, which linked it to a Chinese threat actor. XOR DDoS is different from most DDoS bots because it’s developed using C/C++ and uses a rootkit component for persistence, researchers said. Once installed on a system, XOR DDoS connects to its command and control (C&C) server, from which it gets a list of targets.

In addition to DDoS attacks, the bot is also capable of downloading and executing arbitrary binaries, and it can replace itself with a newer variant by using a self-update feature.

Akamai analysts witnessed that the bandwidth of DDoS attacks coming from the XOR DDoS botnet in recent campaigns ranged from low, single-digit Gbps to more than 150 Gbps, and hit up to 20 targets per day, 90% of which were in Asia.

“Over the past year, the XOR DDoS botnet has grown and is now capable of being used to launch huge DDoS attacks,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “XOR DDoS is an example of attackers switching focus and building botnets using compromised Linux systems to launch DDoS attacks. This happens much more frequently now than in the past, when Windows machines were the primary targets for DDoS malware.”

The top target has been the gaming sector, followed by educational institutions, Akamai said. Using SYN and DNS floods, two attacks seen by Akamai reached nearly 179 Gbps and 109 Gpbs.

Here’s more of what Akamai has to say about XOR DDoS:

Advertisement. Scroll to continue reading.

The IP address of the bot is sometimes spoofed, but not always. The attacks observed in the DDoS campaigns against Akamai customers were a mix of spoofed and non-spoofed attack traffic. Spoofed IP addresses are generated such that they appear to come from the same /24 or /16 address space as the infected host. A spoofing technique where only the third or fourth octet of the IP address is altered is used to prevent Internet Service Providers (ISPs) from blocking the spoofed traffic on Unicast Reverse Path Forwarding (uRPF)-protected networks.


DDoS mitigation of XOR DDoS attacks


Identifiable static characteristics were observed, including initial TTL value, TCP window size, and TCP header options. Payload signatures such as these can aid in DDoS mitigation. These are available in the threat advisory. In addition, tcpdump filters are provided to match SYN flood attack traffic generated by this botnet.

According to Akamai, removing the XOR DDoS malware is a four-step process, which it describes in the advisory, along with several scripts and instructions for detection using a YARA rule. 

“Akamai’s SIRT expects XOR DDoS activity to continue as attackers refine and perfect their method,” Akamai concluded. “This will likely result in a more diverse selection of DDoS attack types included in future versions of the malware. XOR DDoS malware is part of a wider trend of which companies must be aware: Attackers are targeting poorly configured and unmaintained Linux systems for use in botnets and DDoS campaigns.”

Late last year, researchers at FireEye monitored a campaign in which malicious actors use Secure Shell (SSH) brute force attacks to install XOR DDoS on targeted systems. At the time, FireEye saw more than 20,000 SSH login attempts per server in the first 24 hours.  

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...