XorDdos, a Linux botnet malware, has been used extensively—a 254% increase—in the last six months, a Microsoft research reports.
The trojan derives its name from its denial-of-service attacks on Linux; it uses XOR-based encryption for communicating with its command-and-control (C2) server, and the trojan has been active since 2014.
“XorDdos’ modular nature provides attackers with a versatile trojan capable of infecting a variety of Linux system architectures,” Ratnesh Pandey, Yevgeny Kulakov, and Jonathan Bar Or of the Microsoft 365 Defender Research Team said in an exhaustive deep-dive of the malware.
“Its SSH brute force attacks are a relatively simple yet effective technique for gaining root access over a number of potential targets.”
Attackers remotely control vulnerable IoT and other internet-connected devices through secure shell (SSH) brute-force attacks by allowing the malware to form a botnet capable of carrying distributed denial-of-service (DDoS) attacks.
The malware is designed for ARM, x86 and x64 architectures and can also work in a Linux environment where it can steal sensitive information, install a rootkit, and act as a vector for follow-on activities.
In recent years, XorDdos has targeted unprotected Docker servers with exposed ports (2375), using victimised systems to overwhelm a target network or service with fake traffic to render it inaccessible.
XorDdos has since emerged as the top Linux-targeted threat in 2021, according to a report from CrowdStrike published earlier this January.
“XorDdos uses evasion and persistence mechanisms that allow its operations to remain robust and stealthy,” the researchers noted.
“Its evasion capabilities include obfuscating the malware’s activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis.”