Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Malware & Threats

DDoS Malware for Linux Distributed via SSH Brute Force Attacks

Researchers at FireEye have been monitoring a campaign in which malicious actors use Secure Shell (SSH) brute force attacks to install a piece of DDoS malware on Linux and other types of systems.

Researchers at FireEye have been monitoring a campaign in which malicious actors use Secure Shell (SSH) brute force attacks to install a piece of DDoS malware on Linux and other types of systems.

The malware, dubbed XOR.DDoS, was first spotted back in September by the Malware Must Die research group, which linked it to a Chinese actor. XOR.DDoS is different from other DDoS bots because it’s written in C/C++ and it uses a rootkit component for persistence.

FireEye started analyzing XOR DDoS in mid-November when it spotted SSH brute force attacks against its global threat research network coming from IP addresses belonging to Hee Thai Limited, an organization apparently based in Hong Kong. The security firm saw more than 20,000 SSH login attempts per server in the first 24 hours.

The second phase of the campaign took place between November 19 and November 30. By the end of November, FireEye had observed roughly 150,000 login attempts from almost every IP address belonging to Hee Thai Limited. The third phase, which according to researchers is more “chaotic” than the previous two, started on December 7 and continues even today. Nearly 1 million login attempts had been seen on each server by the end of January.

In case an SSH password is successfully brute-forced, the attackers log in to the targeted server and execute SSH shell commands. They extract kernel headers and version strings from the targeted device and use them to create customized malware that’s compiled on-demand on sophisticated build systems.

Once it’s installed on a system, the XOR.DDoS malware connects to its command and control (C&C) server, from which it gets a list of targets. In addition to DDoS attacks, the bot is also capable of downloading and executing arbitrary binaries, and it can replace itself with a newer variant by using a self-update feature.

The problem for victims is that the SSH commands used by the attackers don’t show up in logs, FireEye said.

“Linux servers running the standard OpenSSH server will only see a successful login in their logs, followed by an immediate logout and no further activity,” FireEye researchers explained in a blog post. “This commonly used feature of OpenSSH, interestingly enough, evades standard Linux logging facilities. The OpenSSH server does not log remote commands, even when logging is configured to the most verbose setting.”

Advertisement. Scroll to continue reading.

The rootkit component, whose main goal is to hide indicators of compromise at kernel level, is loaded as a loadable kernel module (LKM), the security firm said.

Researchers have spotted two variants of XOR.DDoS in the wild. Both variants can be compiled for x86, ARM and other platforms as well.

Both Malware Must Die and Russia-based security firm Dr. Web have been monitoring the activities of a similar China-based group dubbed “ChinaZ.” MalwareMustDie reported in mid-January that the threat actor had been using the ShellShock exploit to deliver DDoS malware.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights