Security Experts:

DDoS Malware for Linux Distributed via SSH Brute Force Attacks

Researchers at FireEye have been monitoring a campaign in which malicious actors use Secure Shell (SSH) brute force attacks to install a piece of DDoS malware on Linux and other types of systems.

The malware, dubbed XOR.DDoS, was first spotted back in September by the Malware Must Die research group, which linked it to a Chinese actor. XOR.DDoS is different from other DDoS bots because it’s written in C/C++ and it uses a rootkit component for persistence.

FireEye started analyzing XOR DDoS in mid-November when it spotted SSH brute force attacks against its global threat research network coming from IP addresses belonging to Hee Thai Limited, an organization apparently based in Hong Kong. The security firm saw more than 20,000 SSH login attempts per server in the first 24 hours.

The second phase of the campaign took place between November 19 and November 30. By the end of November, FireEye had observed roughly 150,000 login attempts from almost every IP address belonging to Hee Thai Limited. The third phase, which according to researchers is more “chaotic” than the previous two, started on December 7 and continues even today. Nearly 1 million login attempts had been seen on each server by the end of January.

In case an SSH password is successfully brute-forced, the attackers log in to the targeted server and execute SSH shell commands. They extract kernel headers and version strings from the targeted device and use them to create customized malware that’s compiled on-demand on sophisticated build systems.

Once it’s installed on a system, the XOR.DDoS malware connects to its command and control (C&C) server, from which it gets a list of targets. In addition to DDoS attacks, the bot is also capable of downloading and executing arbitrary binaries, and it can replace itself with a newer variant by using a self-update feature.

The problem for victims is that the SSH commands used by the attackers don’t show up in logs, FireEye said.

“Linux servers running the standard OpenSSH server will only see a successful login in their logs, followed by an immediate logout and no further activity,” FireEye researchers explained in a blog post. “This commonly used feature of OpenSSH, interestingly enough, evades standard Linux logging facilities. The OpenSSH server does not log remote commands, even when logging is configured to the most verbose setting.”

The rootkit component, whose main goal is to hide indicators of compromise at kernel level, is loaded as a loadable kernel module (LKM), the security firm said.

Researchers have spotted two variants of XOR.DDoS in the wild. Both variants can be compiled for x86, ARM and other platforms as well.

Both Malware Must Die and Russia-based security firm Dr. Web have been monitoring the activities of a similar China-based group dubbed “ChinaZ.” MalwareMustDie reported in mid-January that the threat actor had been using the ShellShock exploit to deliver DDoS malware.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.