Researchers for the Security Intelligence Response Team at Akamai on Tuesday issued a high-risk threat advisory for XOR DDoS proliferation.

The XOR DDoS Trojan is used to hijack Linux servers to build a botnet for distributed denial-of-service attacks with SYN and DNS floods, researchers tracking the malware said.

The massive Linux-based botnet, which they discovered last year, can take down websites under a flood of DDoS traffic exceeding 150 Gbps using heavy volumes of junk network traffic.

The malware compromises Linux systems using network routers and other embedded devices to apply brute-force attacks to gain Secure Shell access, Akamai SIRT said.

“How severe is the risk? The risk for infection depends on if root authentication is enabled using a weak password,” said Tsvetelin “Vincent” Choranov, security response engineer at Akamai SIRT.

“Though this process has been widely spoken about, the XOR DDoS botnet is a prime example of how security best practices are still being disregarded,” he told LinuxInsider.

Attack Vectors

The bandwidth of the DDoS attacks from the XOR DDoS botnet ranges from a few gigabits per second to more than 150 Gbps, Akamai SIRT said. It attacks up to 20 targets per day, mostly gaming websites and educational institutions.

Akamai SIRT mitigated two DDoS attacks orchestrated by the XOR DDoS botnet in August. One of the attacks measured nearly 50 Gbps, and the other was almost 100 Gbps, researchers said.

The malware’s origin is Asian, based on the command-and-control IP addresses and source IP addresses of the attack payloads, according to Akamai SIRT. About 90 percent of the attacks have occurred in Asia.

News of the XOR DDoS Secure Shell login vector used to distribute malware is especially troubling since the attacks come on the heels of a series of high-profile hacks and breaches caused by insufficiently secured credentials, said Matthew McKenna, chief commercial officer for SSH Communications Security.

“The explosion of IoT-style devices is only broadening the attack surface further,” he told LinuxInsider.

How It Works

The botnet’s attack methods are pretty significant. It spreads by using SSH brute force as its point of entry, then executes commands to download itself to a computer, said Tom Gorup, security operations leader at Rook Security.

“If the password is long and complex or PEM (Privacy Enhanced Mail) keys are being used, the chances of infection are low. This reinforces best practices,” he told LinuxInsider.

The malware doesn’t spread via a host vulnerability. Instead, it populates via Secure Shell services that are susceptible to brute-force attacks because of weak passwords, Akamai SIRT’s researchers said. Once the attackers gain login credentials, they use root privileges to run a Bash shell script that downloads and executes the malicious binary.

Persistent Perp

The malicious binary code creates two copies of itself. One is in the /boot directory with a filename composed of 10 random alpha characters. The second copy is in /lib/udev with a filename of “udev.”

The copy in /boot allows reading, writing and execution. The copy in /lib/udev only has read permissions. Only the root user only can access both copies.

To ensure persistence, the malware executes multiple short-lived processes. That determines whether the main process is running. If not, it creates and executes a new copy in /boot using a new randomized 10-character name.

That process is hidden using common rootkit techniques. Using tools that show running processes, the malware masks itself using the name of a common Linux tool such as “top,” “grep,” “ls” or “ifconfig,” with an assortment of randomized flags to further blend in on a busy system.

Persistence is maintained after reboot. The bot creates a startup script in /etc/init.d directory using the same filename as the malware dropped in /boot.

Risk Factors

The primary risk from an XOR DDoS attack is being taken offline, noted Akamai SIRT’s Choranov.

Another concern is the availability of computing resources, said Rook Security’s Gorup.

This type of cyberattack is so successful largely because of careless password management, according to Brad Hibbert, chief technology officer at BeyondTrust. To simplify administration, many IT teams use the same local password across multiple servers, service accounts and applications and rarely, if ever, change them en masse.

“This problem can lead to a variety of malicious activities and can result in an increased success rate for these types of brute-force attacks,” he told LinuxInsider.

IT departments often ignore the type of help already available to mitigate DDoS attacks, said Jim McMurry, CEO of Milton Security Group.

“DDoS is the bane of the Internet. There are whole businesses out there to help you mitigate these types of risk. If your Web presence is not behind a service like these, then you need to move to one immediately if you want your Web presence to stay operational,” he told LinuxInsider.

Prevention Better Than Fix

Several cloud or on-site DDoS mitigation solutions can protect an organization from the damage this botnet can potentially cause.

Akamai SIRT included recommended remediations for malware infection and detection against the DDoS attack payloads in its advisory, said Choranov.

“We recommend network assessments to be conducted regularly, as well as constant monitoring of network traffic and the implementation of strong security policies,” he said.

Companies should purchase redundant connections or get a DoS protection provider to ensure that actions can be taken outside of their networks, added Rook Security’s Gorup.

Plus, companies need to be careful when relying on firewalls as a method of blocking these types of attacks, he said. “Most companies see availability as the highest concern and therefore fail over if the firewall gets overutilized.”

Unfortunately for a website chosen as a target of the botnet, defending against DDoS attacks can be difficult.

The sheer size of the botnet can overwhelm most high-speed Internet connections, and it may require the cooperation of multiple network operators and service providers to mitigate a DDoS attack launched by the botnet, said Patrick Tiquet, director of network security and architecture for Keeper Security.

“Sites with network devices or firewalls that can recognize and mitigate against a DDoS attack have a better chance at weathering an attack without requiring outside assistance,” he told LinuxInsider.

Passwords Prevent Problems

To reduce exposure to this malware, Linux administrators should ensure that all passwords are complex and unique.

Remote SSH logins should be restricted by a firewall to only those IP addresses that are authorized to access, added Tiquet. If remote SSH is not required, the service should be blocked and disabled.

“It also is recommended that Linux administrators enable for interactive remote SSH logins a two-factor authentication mechanism, such as Google Authenticator, which is available as an optional package for many popular Linux distributions,” he said. “Additionally, Linux administrators should scan their systems regularly for malware.”