Linux-Based Botnet Hits Servers with Powerful DDoS Attacks
In the company’s latest “State of the Internet” report, it released a threat advisory for the Trojan malware, dubbed XOR DDoS. Akamai assigned the threat a risk factor of “high.”
The Trojan was first discovered last September by the Malware Must Die team, a white hat security working group. The malware works by hijacking Linux machines to construct a botnet the hackers can use to launch attacks, according to Akamai. Based on the command-and-control IP addresses used by the Trojan and source addresses of the attack payloads, Akamai has concluded that it originated somewhere in Asia, although it declined to be more specific.
Definitely Not Fun and Games
So far, XOR DDoS has primarily gone after targets in the gaming industry, with educational organizations also coming under attack. “The botnet has attacked up to 20 targets per day, 90 percent of which were in Asia,” the company said in its threat advisory. “Akamai mitigated two DDoS attacks orchestrated by the XOR DDoS botnet on the weekend of August 22. One of the attacks measured nearly 50 Gbps, and the other was almost 100 Gbps.”
XOR DDoS isn’t the first Trojan to target Linux machines. The Spike DDoS toolkit was able to target both Windows and Linux machines, while the IptabLes and IptabLex malware applications specifically targeted Linux machines by exploiting vulnerabilities in Apache Struts, Tomcat and Elasticsearch. Meanwhile, a heap-based buffer overflow vulnerability in the GNU C library was discovered in Linux earlier this year.
This latest Trojan -- along with its predecessors -- points to a troubling new development for computer security: the increasing vulnerability of Linux systems to attack. The operating system was once considered to be a safe alternative to Windows environments, once the main targets of malware threats. But as the number of Linux machines has grown, hackers have begun spending more time developing tools to exploit its vulnerabilities.
Keep Your Linux Machine Maintained
Akamai’s Security Intelligence Response Team, which wrote the advisory, said that it expects XOR DDoS activity to continue as attackers refine and perfect their methods. That will likely result in a more diverse selection of DDoS attack types included in future versions of the malware.
But the news isn’t all bad for organizations using Linux environments for their servers. XOR DDoS doesn’t spread by exploiting a host vulnerability. Instead, it propagates via Secure Shell services with weak passwords that are susceptible to brute-force attacks. Once login credentials have been acquired, an attacker uses root privileges to run a Bash shell script that downloads and executes the malicious binary.
As a result, system administrators can protect themselves by increasing the strength of their passwords to make their systems less vulnerable to brute-force attacks, and keep their Linux environments maintained and up to date.