Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

DDoS Malware for Linux Distributed via SSH Brute Force Attacks

Researchers at FireEye have been monitoring a campaign in which malicious actors use Secure Shell (SSH) brute force attacks to install a piece of DDoS malware on Linux and other types of systems.

Researchers at FireEye have been monitoring a campaign in which malicious actors use Secure Shell (SSH) brute force attacks to install a piece of DDoS malware on Linux and other types of systems.

The malware, dubbed XOR.DDoS, was first spotted back in September by the Malware Must Die research group, which linked it to a Chinese actor. XOR.DDoS is different from other DDoS bots because it’s written in C/C++ and it uses a rootkit component for persistence.

FireEye started analyzing XOR DDoS in mid-November when it spotted SSH brute force attacks against its global threat research network coming from IP addresses belonging to Hee Thai Limited, an organization apparently based in Hong Kong. The security firm saw more than 20,000 SSH login attempts per server in the first 24 hours.

The second phase of the campaign took place between November 19 and November 30. By the end of November, FireEye had observed roughly 150,000 login attempts from almost every IP address belonging to Hee Thai Limited. The third phase, which according to researchers is more “chaotic” than the previous two, started on December 7 and continues even today. Nearly 1 million login attempts had been seen on each server by the end of January.

In case an SSH password is successfully brute-forced, the attackers log in to the targeted server and execute SSH shell commands. They extract kernel headers and version strings from the targeted device and use them to create customized malware that’s compiled on-demand on sophisticated build systems.

Once it’s installed on a system, the XOR.DDoS malware connects to its command and control (C&C) server, from which it gets a list of targets. In addition to DDoS attacks, the bot is also capable of downloading and executing arbitrary binaries, and it can replace itself with a newer variant by using a self-update feature.

The problem for victims is that the SSH commands used by the attackers don’t show up in logs, FireEye said.

“Linux servers running the standard OpenSSH server will only see a successful login in their logs, followed by an immediate logout and no further activity,” FireEye researchers explained in a blog post. “This commonly used feature of OpenSSH, interestingly enough, evades standard Linux logging facilities. The OpenSSH server does not log remote commands, even when logging is configured to the most verbose setting.”

The rootkit component, whose main goal is to hide indicators of compromise at kernel level, is loaded as a loadable kernel module (LKM), the security firm said.

Researchers have spotted two variants of XOR.DDoS in the wild. Both variants can be compiled for x86, ARM and other platforms as well.

Both Malware Must Die and Russia-based security firm Dr. Web have been monitoring the activities of a similar China-based group dubbed “ChinaZ.” MalwareMustDie reported in mid-January that the threat actor had been using the ShellShock exploit to deliver DDoS malware.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.