The Linux XOR botnet is launching crippling DDoS attacks in excess of 150 Gbps
The XOR #DDoS #botnet can generate attacks more powerful than most businesses can withstand.
▻http://www.pcworld.com/article/2987580/security/a-linux-botnet-is-launching-crippling-ddos-attacks-at-more-than-150gbps.htm
Attackers install it on Linux systems, including embedded devices such as WiFi routers and network-attached storage (NAS) devices, by guessing SSH (Secure Shell) login credentials using brute-force attacks.
[...]
Old and unmaintained routers are especially vulnerable to such attacks, as several incidents have shown over the past two years.
▻https://www.stateoftheinternet.com/resources-web-security-threat-advisories-2015-xor-ddos-attacks-l
Akamai’s Security Intelligence Response Team (SIRT) is tracking XOR DDoS, a Trojan malware that DDoS attackers have used to hijack Linux machines to build a botnet for distributed denial of service (DDoS) attack campaigns with SYN and DNS floods.
• The XOR DDoS botnet has produced DDoS attacks from a couple of Gbps to 150+ Gbps
• The gaming sector has been the primary target, followed by educational institutions.
• The botnet has attacked up to 20 targets per day, 90% of which were in Asia.
• XOR DDoS is an example of attackers building botnets of Linux systems instead of Windows-based machines.
• XOR DDoS appears to be of Asian origin
• The malware spreads via Secure Shell (SSH) services susceptible to brute-force attacks due to weak passwords.
• To hide its presence, the malware also uses common rootkit techniques.
• Akamai’s SIRT expects XOR DDoS activity to continue as attackers refine and perfect their methods, including a more diverse selection of DDoS attack types.
What you can find in the Technical information about XOR:
• Indicators of binary infection
• Characteristics of the botnet and C2 communications
• Observed DDoS attack campaigns
• DDoS payloads for DDoS mitigation
• Snort rule to detect the initial registration of a bot with its C2
• YARA rule to detect infection by XOR DDoS malware on your hosts
4 steps to remove XOR DDoS malware from a Linux host
▻https://www.stateoftheinternet.com/downloads/pdfs/2015-threat-advisory-xor-ddos-attacks-linux-botnet-malware-remov
An argumentation (by a Linux fan) against blaming Linux about this botnet:
(albeit somewhat "de mauvaise foi", and using as main defence argument that anything can fail against brute force attacks):
▻http://www.infoworld.com/article/2990956/linux/dont-blame-linux-for-the-xor-botnet.html
The real culprits are the irresponsible vendors behind cheap broadband routers and their clueless customers
The existence of the XOR DDoS was already mentioned here in January 2015 by @stephane : ▻http://seenthis.net/messages/327907