Photo by Jez Timms on Unsplash

XOR DDoS, Top Threat to Linux Today

How does this clever Linux Trojan operate?

By Jason Chavarría | May 26, 2022 | Category: Attacks

It has been a while since we covered issues on Linux. Last time, we talked about PwnKit, an "ancient" vulnerability common to several distributions that allowed privilege escalation to achieve root user permissions. Now, we look at a Linux Trojan that acts as a distributed denial of service (DDoS) botnet. Though this Trojan was discovered in 2014, the Microsoft 365 Defender Research Team says they have observed a 254% jump in its activity over the last six months. Let's see what it is about.

What is XOR DDoS?

The Trojan's name is XOR DDoS (or XorDdos). Let's break that name down real quick: XOR refers to the form of encryption it uses for communications with its command-and-control (C2) server (e.g., it writes the string m6_6n3 to mean directory /tmp), and DDoS refers to the kind of attack it carries out. This Trojan accomplishes DDoS by flooding the server with threads (i.e., lightweight processes), which are so many that, in the end, legitimate clients are denied the targeted resources, or the server crashes. These attacks can also be a way to mask the attacker's further malicious activities, which include gaining unauthorized access.

Back in 2014, when the ethical hacking group MalwareMustDie discovered this Trojan, they attributed it to Chinese threat actors and warned how serious it was, given its complexity and how hard it was to detect. By 2015, the Trojan was said to have compromised more than 20 websites per day, mainly in Asia. It has become more pervasive in recent years, rising as the top threat to Linux machines. Reportedly, XOR DDoS has been affecting Internet of Things (IoT) devices and cloud infrastructures, progressively gaining points from which to launch further attacks.

XOR DDoS attempts to get access to systems mainly by conducting brute force attacks on devices across loads of servers. Once it finds credentials that work on a device, this Trojan runs a script with root privileges to download and install itself on the device. It uses clever ways to conceal how it got there, like downloading itself to a temporary file storage directory or overwriting log files.

This Trojan has several persistence mechanisms, that is, techniques to keep its access to systems across restarts. Put simply, it stores scripts to determine that it should be run every time the system starts up. Its mechanisms are plenty so that at least one of them works on any of several Linux distributions.

Another malicious action that XOR DDoS does is it sends device information to the threat actor. As reported by Microsoft, it includes "OS release version, malware version, rootkit presence, memory stats, CPU information, and LAN speed." This data can be used to plan more specific, custom attacks on the device. An example of this is that another Linux Trojan called Tsunami was contracted later by some of the infected devices but, as Microsoft explained, this other Trojan was not installed by XOR DDoS, so it is likely that the latter "is leveraged as a vector for follow-on activities."

To perform DDoS, the Trojan enumerates the processors in the device and then moves on to create threads twice that number. After that, the Trojan receives commands from the C2 server to flood the device, rendering it unable to respond.

What Linux users should be doing about XOR DDoS

Currently, a generalized warning has been made to Linux administrators. They are being urged to have the latest endpoint and server defenses on their systems. The risk is clear: DDoS attacks are a big deal. They are even used as a weapon in cyberwar. This has been reported, for example, in the conflict between Russia and Ukraine. Moreover, as shown in a report by Kaspersky, this kind of attack hit record numbers in the first quarter of the current year. An aggravating factor is that, as mentioned, many of the Internet-connected devices that have been affected are IoT devices. This poses a challenge for many users because these are often not properly secured, as manufacturers prioritize quickly getting the product out in the market.

There are some specific things that Linux administrators should start doing right now. First thing is becoming aware of whether their systems are being targeted. It could be the case if they detect a large number of failed login attempts. Also, some ways of protecting their Internet-facing servers are to deploy antimalware software and disallow remote password access. Furthermore, administrators need to "enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet." Lastly, all other users should be urged to be cautious too. They really need to take security measures as simple as creating and rotating strong passphrases (even more secure than passwords) and complying with the activation of multi-factor authentication.

Did you like this post? Then subscribe to our newsletter to be up to date on the latest cyberattacks and cybersecurity trends.