XOR DDoS botnet launching attacks from compromised Linux machines
Attackers have developed a botnet capable of 150+ Gbps DDoS attack campaigns using XOR DDoS, a Trojan malware used to hijack Linux systems, according to Akamai.
What is XOR DDoS?
XOR DDoS is a Trojan malware that infects Linux systems, instructing them to launch DDoS attacks on demand by a remote attacker. Initially, attackers gain access by brute force attacks to discover the password to Secure Shell services on a Linux machine. Once login has been acquired, the attackers use root privileges to run a Bash shell script that downloads and executes the malicious binary.
“Over the past year, the XOR DDoS botnet has grown and is now capable of being used to launch huge DDoS attacks,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “XOR DDoS is an example of attackers switching focus and building botnets using compromised Linux systems to launch DDoS attacks. This happens much more frequently now than in the past, when Windows machines were the primary targets for DDoS malware.”
XOR DDoS attacks
Akamai SIRT’s research showed that the bandwidth of DDoS attacks coming from the XOR DDoS botnet ranged from low, single-digit Gbps to 150+ Gbps – an extremely large attack size. The most frequent target was the gaming sector, followed by educational institutions. The botnet attacks up to 20 targets per day, 90% of which were in Asia.
Of the DDoS attacks from the XOR DDoS botnet Akamai has mitigated, several examples documented on August 22-23 are profiled in the threat advisory. One of the attacks was nearly 179 Gbps, and the other was almost 109 Gpbs. Two attack vectors were observed: SYN and DNS floods.
The IP address of the bot is sometimes spoofed, but not always. The attacks observed in the DDoS campaigns against Akamai customers were a mix of spoofed and non-spoofed attack traffic. Spoofed IP addresses are generated such that they appear to come from the same /24 or /16 address space as the infected host. A spoofing technique where only the third or fourth octet of the IP address is altered is used to prevent ISPs from blocking the spoofed traffic on Unicast Reverse Path Forwarding (uRPF)-protected networks.
DDoS mitigation of XOR DDoS attacks
Identifiable static characteristics were observed, including initial TTL value, TCP window size, and TCP header options. Payload signatures such as these can aid in DDoS mitigation. These are available in the threat advisory. In addition, tcpdump filters are provided to match SYN flood attack traffic generated by this botnet.
How to detect and remove XOR DDoS malware
The presence of XOR DDoS can be detected in two ways. To detect this botnet in a network, look for communications between a bot and its C2 using a Snort rule provided in the advisory. To detect infection of this malware on a Linux host, the advisory includes a YARA rule that pattern matches strings observed in the binary.
XOR DDoS is persistent – it runs processes that will reinstall the malicious files if they are deleted. Therefore removing the XOR DDoS malware is a four-step process for which several scripts are provided in the advisory:
- Identify the malicious files in two directories.
- Identify the processes that promote persistence of the main process.
- Kill the malicious processes.
- Delete the malicious files.