Attackers have developed a botnet capable of 150+ gigabit-per-second (Gbps) distributed denial of service (DDoS) attack campaigns using XOR DDoS, a Trojan malware used to hijack Linux systems. The advisory detailing this new security threat threat in full, comes from Akamai Technologies, a global provider of Content Delivery Network (CDN) services.
XOR DDoS is a Trojan malware that infects Linux systems, instructing them to launch DDoS attacks on demand by a remote attacker. Initially, attackers gain access by brute force attacks to discover the password to Secure Shell services on a Linux machine. Once login has been acquired, the attackers use root privileges to run a Bash shell script that downloads and executes the malicious binary.
The Akamai Security Intelligence Response Team’s research showed that the bandwidth of DDoS attacks coming from the XOR DDoS botnet ranged from low, single-digit Gbps to 150+ Gbps – an extremely large attack size. The most frequent target was the gaming sector, followed by educational institutions. The botnet attacks up to 20 targets per day, 90% of which were in Asia. Of the DDoS attacks from the XOR DDoS botnet Akamai has mitigated, several examples documented on August 22-23 are profiled in the threat advisory. One of the attacks was nearly 179 Gbps, and the other was almost 109 Gpbs. Two attack vectors were observed: SYN and DNS floods.
“Over the past year, the XOR DDoS botnet has grown and is now capable of being used to launch huge DDoS attacks,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “XOR DDoS is an example of attackers switching focus and building botnets using compromised Linux systems to launch DDoS attacks. This happens much more frequently now than in the past, when Windows machines were the primary targets for DDoS malware.”
The IP address of the bot is sometimes spoofed, but not always. The attacks observed in the DDoS campaigns against Akamai customers were a mix of spoofed and non-spoofed attack traffic. Spoofed IP addresses are generated such that they appear to come from the same /24 or /16 address space as the infected host. A spoofing technique where only the third or fourth octet of the IP address is altered is used to prevent Internet Service Providers (ISPs) from blocking the spoofed traffic on Unicast Reverse Path Forwarding (uRPF)-protected networks.
DDoS mitigation of XOR DDoS attacks
The Security Intelligence Response Team’s advisory detailing this threat in full, including DDoS mitigation payload analysis and malware removal information, is available for download here at http://www.stateoftheinternet.com/xorddos.
Identifiable static characteristics were observed, including initial TTL value, TCP window size, and TCP header options. Payload signatures such as these can aid in DDoS mitigation. These are available in the threat advisory. In addition, tcpdump filters are provided to match SYN flood attack traffic generated by this botnet.
Detect and remove XOR DDoS malware
The presence of XOR DDoS can be detected in two ways, says Akamai Technologies. To detect this botnet in a network, look for communications between a bot and its C2 using a Snort rule provided in the advisory. To detect infection of this malware on a Linux host, the advisory includes a YARA rule that pattern matches strings observed in the binary.
XOR DDoS is persistent – it runs processes that will reinstall the malicious files if they are deleted. Therefore removing the XOR DDoS malware is a four-step process for which several scripts are provided in the advisory:
- Identify the malicious files in two directories.
- Identify the processes that promote persistence of the main process.
- Kill the malicious processes.
- Delete the malicious files.