The activity of the Linux XorDdos bot increased by 254% over the last six months

Microsoft researchers have observed a spike in the activity of the Linux bot XorDdos over the last six months.

XORDDoS, also known as XOR.DDoS, first appeared in the threat landscape in 2014 it is a Linux Botnet that was employed in attacks against gaming and education websites with massive DDoS attacks that reached 150 gigabytes per second of malicious traffic.

XorDdos leverages persistence mechanisms, efficient evasion, and anti-forensic techniques, including obfuscating the malware’s activities, evading rule-based detection mechanisms, and hash-based malicious file lookup.

Microsoft experts observed in the last six months a 254% increase in the activity associated with XorDdos.

XorDdos spreads primarily via SSH brute force, it uses a shell script to try credential combinations across thousands of servers.

Microsoft experts determined two of XorDdos’ methods for initial access to the target systems, the first method copies a malicious ELF file to temporary file storage /dev/shm and then executing it, while the second one involves the execution of a bash script that performs a sequence of activities via the command line.

XorDdos uses various persistence mechanisms to support different Linux distributions, including init and cron scripts, setting a system’s default runlevel, and using symlinks they point to the scripts that should run at the specified runlevel.

“XorDdos’ modular nature provides attackers with a versatile trojan capable of infecting a variety of Linux system architectures. Its SSH brute force attacks are a relatively simple yet effective technique for gaining root access over a number of potential targets.” concludes the report. “Adept at stealing sensitive data, installing a rootkit device, using various evasion and persistence mechanisms, and performing DDoS attacks, XorDdos enables adversaries to create potentially significant disruptions on target systems. Moreover, XorDdos may be used to bring in other dangerous threats or to provide a vector for follow-on activities.”

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, domain name system)

The post The activity of the Linux XorDdos bot increased by 254% over the last six months appeared first on Security Affairs.