Microsoft Warns Rise in XorDdos Malware Targeting Linux Devices
The trojan, so named for carrying out denial-of-service attacks on Linux systems and its use of XOR-based encryption for communications with its command-and-control (C2) server, is known to have been active since at least 2014.
“XorDdos’ modular nature provides attackers with a versatile trojan capable of infecting a variety of Linux system architectures,” Ratnesh Pandey, Yevgeny Kulakov, and Jonathan Bar Or of the Microsoft 365 Defender Research Team said in an exhaustive deep-dive of the malware.
“Its SSH brute force attacks are a relatively simple yet effective technique for gaining root access over a number of potential targets.”
Remote control over vulnerable IoT and other internet-connected devices is gained by means of secure shell (SSH) brute-force attacks, enabling the malware to form a botnet capable of carrying distributed denial-of-service (DDoS) attacks.
Besides being compiled for ARM, x86, and x64 architectures, the malware is designed to support different Linux distributions, not to mention come with features to siphon sensitive information, install a rootkit, and act as a vector for follow-on activities.
In recent years, XorDdos has targeted unprotected Docker servers with exposed ports (2375), using victimized systems to overwhelm a target network or service with fake traffic in order to render it inaccessible.
XorDdos has since emerged as the top Linux-targeted threat in 2021, according to a report from CrowdStrike published earlier this January.
“XorDdos uses evasion and persistence mechanisms that allow its operations to remain robust and stealthy,” the researchers noted.
“Its evasion capabilities include obfuscating the malware’s activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis.”