Linux-powered botnet generates giant denial-of-service attacks

Malware that has hijacked Linux systems for the past year has been recorded flooding targeted websites at speeds of over 150Gbps.

The Linux botnet, known as XOR DDoS or XOR.DDoS, is orchestrating attacks on around 20 targets a day, according go Akamai, which in late August blocked two attacks against customers that measured 50 Gbps and 100 Gbps, respectively.

XOR.DDoS was discovered almost exactly one year ago by researchers at the MalwareMustDie! group, which found it attempts to brute force SSH login credentials for the root user of a Linux system. In other words, it doesn't take advantage of a specific vulnerability. As per security vendor, Avast, if the credentials are guessed correctly, the attackers install Xor.DDoS via a shell script and, to prevent removal, will also attempt to install a rootkit.

The point of the exercise is to build a network of infected Linux machines to centrally coordinate distributed denial of service (DDoS) attacks on target websites to knock them offline. The XOR part of the malware's name refers to it using XOR to encrypt its payload.

According to Akamai, those sites are typically in the online gaming sector within Asia, and the two attacks it details found the botnet firing SYN and DNS traffic. It's also capable of producing spoofed attack traffic, which may allow the attacker to test and track which machines are capable of routing spoofed packets.

However, the company also notes it has observed attacks where the payload from each bot is unique, suggesting the attackers are simply using a technique to slip by Unicast Reverse Path Forwarding (uRPF), which can be enabled in most vendor's routers to prevent IP address spoofing.

"This fact leads us to believe the attack traffic is not using spoofed IP addresses, or if the sources are spoofed then the attacking IP address is not randomized during the attack. Spoofed IP addresses are generated so they appear to come from the same /24 or /16 address space as the infected host. This spoofing technique, where only the third and/or fourth octet of the IP address is altered, is used to prevent ISPs from blocking the spoofed traffic on Unicast Reverse Path Forwarding (uRPF) protected networks," Akamai noted.

The key takeaway, however, is that attackers aren't only using Windows these days to build botnets - and Akamai warns that this particular example is just part of a wider trend that may have been made possible because Linux was seen as more secure than Windows, causing companies to adopt Linux. So today there are enough Linux systems to make it worthwhile to pick low-hanging Linux fruit, namely poorly configured systems.

"A decade ago, Linux was seen as the more secure alternative to Windows environments, which suffered the lion's share of attacks at the time, and companies increasingly adopted Linux as part of their security-hardening efforts," Akamai notes.

"As the number of Linux environments has grown, the potential opportunity and rewards for criminals has also grown. Attackers will continue to evolve their tactics and tools and security professionals should continue to harden their Linux based systems accordingly," Akamai concludes.

Akamai provides details on removal and remediation of the threat here.

Read more about hacker attacks

• New DDoS attack uses smartphone browsers to flood site with 4.5bn requests
• Hackers gain entry to 10 million Excellus insurance records
• Kaspersky reveals 'almost invisible' hacking attack on its systems