EITHER/XOR

Security researchers have uncovered a network of infected Linux computers that's flooding gaming and education sites with as much as 150 gigabits per second of malicious traffic—enough in some cases to take the targets completely offline.

The XOR DDoS or Xor.DDoS botnet, as the distributed denial-of-service network has been dubbed, targets as many as 20 sites each day, according to an advisory published Tuesday by content delivery network Akamai Technologies. About 90 percent of the targets are located in Asia. In some cases, the IP address of the participating bot is spoofed in a way that makes the compromised machines appear to be part of the network being targeted. That technique can make it harder for defenders to stop the attack.

"In short: Xor.DDoS is a multi-platform, polymorphic malware for Linux OS, and its ultimate goal is to DDoS other machines," a separate writeup on the botnet explained. "The name Xor.DDoS stems from the heavy usage of XOR encryption in both malware and network communication to the C&Cs (command and control servers)."

XOR DDoS takes hold by cracking weak passwords used to protect the command shell of Linux computers. Once the attackers have logged in, they use root privileges to run a script that downloads and executes a malicious binary file. There's no evidence XOR DDoS infects computers by exploiting vulnerabilities in the Linux operating system itself. Akamai's advisory has intrusion-prevention-system signatures for detecting infections and instructions for removing the malware.

"Over the past year, the XOR DDoS botnet has grown and is now capable of being used to launch huge DDoS attacks," Stuart Scholly, senior vice president and general manager of Akamai's Security Business Unit, said in a statement. "XOR DDoS is an example of attackers switching focus and building botnets using compromised Linux systems to launch DDoS attacks. This happens much more frequently now than in the past, when Windows machines were the primary targets for DDoS malware."