Botnet preying on Linux computers delivers potent DDoS attacks
Akamai announced on Tuesday that its Security Intelligence Response Team has discovered a massive Linux-based botnet that’s reportedly capable of downing websites under a torrent of DDoS traffic exceeding 150 Gbps.
Akamai recently mitigated two DDoS attacks orchestrated by the XOR DDoS botnet – one of 50Gbps, and the other of 100Gbps. Initially, attackers gain root access by brute-forcing a machine’s SSH service – disabling root login from SSH, or using a very strong password, will defeat this. Once the malware has Secure Shell credentials, it secretly downloads and installs the necessary botnet software, then connects the newly-infected computer to the rest of the hive.
Threat actors are leveraging a botnet made up of infected Linux machines to launch powerful distributed denial-of-service attacks. The most frequent targets have been companies from the online gaming sector, followed by educational institutions, the Akamai team said in an advisory that contains an analysis of the malware, indicators of compromise and detection rules.
The botnet is attacking up to 20 targets per day, 90% of which are in Asia.
The bandwidth of DDoS attacks ranged from single-digit Gbps to 179Gbps, a huge attack volume. There’s no evidence XOR DDoS infects computers by exploiting vulnerabilities in the Linux operating system itself.
If you have annoying Linux friends that like to brag about how Linux has no viruses, this might be the flawless time to mention XOR, along with the Spike DDoS toolkit, and the IptabLes and IptabLex malware. “A few of the source IPs that we are seeing actively producing malicious traffic have spoofing capabilities”. To detect infection of this malware on a Linux host, the advisory includes a YARA rule that pattern matches strings observed in the binary.
Identify the malicious files in two directories.
“XOR DDoS malware is part of a wider trend of which companies must be aware: Attackers are targeting poorly configured and unmaintained Linux systems for use in botnets and DDoS campaigns”, the advisory said.