Linux XOR DDoS Botnet Flexes Muscles With 150+ Gbps Attacks

XOR DDoS Botnet Pounds Organizations in Asia

Akamai Technologies shared new details on Tuesday of an existing botnet that is now capable of launching 150+ gigabit-per-second (Gbps) DDoS attacks from Linux systems infected by the XOR DDoS Trojan.

The XOR DDoS malware was first discovered in September 2014 by the Malware Must Die research group, which linked it to a Chinese threat actor. XOR DDoS is different from most DDoS bots because it’s developed using C/C++ and uses a rootkit component for persistence, researchers said. Once installed on a system, XOR DDoS connects to its command and control (C&C) server, from which it gets a list of targets.

In addition to DDoS attacks, the bot is also capable of downloading and executing arbitrary binaries, and it can replace itself with a newer variant by using a self-update feature.

Akamai analysts witnessed that the bandwidth of DDoS attacks coming from the XOR DDoS botnet in recent campaigns ranged from low, single-digit Gbps to more than 150 Gbps, and hit up to 20 targets per day, 90% of which were in Asia.

“Over the past year, the XOR DDoS botnet has grown and is now capable of being used to launch huge DDoS attacks,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “XOR DDoS is an example of attackers switching focus and building botnets using compromised Linux systems to launch DDoS attacks. This happens much more frequently now than in the past, when Windows machines were the primary targets for DDoS malware.”

The top target has been the gaming sector, followed by educational institutions, Akamai said. Using SYN and DNS floods, two attacks seen by Akamai reached nearly 179 Gbps and 109 Gpbs.

Here’s more of what Akamai has to say about XOR DDoS:

The IP address of the bot is sometimes spoofed, but not always. The attacks observed in the DDoS campaigns against Akamai customers were a mix of spoofed and non-spoofed attack traffic. Spoofed IP addresses are generated such that they appear to come from the same /24 or /16 address space as the infected host. A spoofing technique where only the third or fourth octet of the IP address is altered is used to prevent Internet Service Providers (ISPs) from blocking the spoofed traffic on Unicast Reverse Path Forwarding (uRPF)-protected networks.

DDoS mitigation of XOR DDoS attacks

Identifiable static characteristics were observed, including initial TTL value, TCP window size, and TCP header options. Payload signatures such as these can aid in DDoS mitigation. These are available in the threat advisory. In addition, tcpdump filters are provided to match SYN flood attack traffic generated by this botnet.

According to Akamai, removing the XOR DDoS malware is a four-step process, which it describes in the advisory, along with several scripts and instructions for detection using a YARA rule. 

“Akamai’s SIRT expects XOR DDoS activity to continue as attackers refine and perfect their method,” Akamai concluded. “This will likely result in a more diverse selection of DDoS attack types included in future versions of the malware. XOR DDoS malware is part of a wider trend of which companies must be aware: Attackers are targeting poorly configured and unmaintained Linux systems for use in botnets and DDoS campaigns.”

Late last year, researchers at FireEye monitored a campaign in which malicious actors use Secure Shell (SSH) brute force attacks to install XOR DDoS on targeted systems. At the time, FireEye saw more than 20,000 SSH login attempts per server in the first 24 hours.