The Linux XOR botnet is launching crippling DDoS attacks in excess of 150 Gbps
The XOR #DDoS #botnet can generate attacks more powerful than most businesses can withstand.
Attackers install it on Linux systems, including embedded devices such as WiFi routers and network-attached storage (NAS) devices, by guessing SSH (Secure Shell) login credentials using brute-force attacks.
Old and unmaintained routers are especially vulnerable to such attacks, as several incidents have shown over the past two years.
Akamai’s Security Intelligence Response Team (SIRT) is tracking XOR DDoS, a Trojan malware that DDoS attackers have used to hijack Linux machines to build a botnet for distributed denial of service (DDoS) attack campaigns with SYN and DNS floods.
• The XOR DDoS botnet has produced DDoS attacks from a couple of Gbps to 150+ Gbps
• The gaming sector has been the primary target, followed by educational institutions.
• The botnet has attacked up to 20 targets per day, 90% of which were in Asia.
• XOR DDoS is an example of attackers building botnets of Linux systems instead of Windows-based machines.
• XOR DDoS appears to be of Asian origin
• The malware spreads via Secure Shell (SSH) services susceptible to brute-force attacks due to weak passwords.
• To hide its presence, the malware also uses common rootkit techniques.
• Akamai’s SIRT expects XOR DDoS activity to continue as attackers refine and perfect their methods, including a more diverse selection of DDoS attack types.
What you can find in the Technical information about XOR:
• Indicators of binary infection
• Characteristics of the botnet and C2 communications
• Observed DDoS attack campaigns
• DDoS payloads for DDoS mitigation
• Snort rule to detect the initial registration of a bot with its C2
• YARA rule to detect infection by XOR DDoS malware on your hosts
4 steps to remove XOR DDoS malware from a Linux host
An argumentation (by a Linux fan) against blaming Linux about this botnet:
(albeit somewhat "de mauvaise foi", and using as main defence argument that anything can fail against brute force attacks):
The real culprits are the irresponsible vendors behind cheap broadband routers and their clueless customers
The existence of the XOR DDoS was already mentioned here in January 2015 by @stephane : ▻http://seenthis.net/messages/327907