XOR: Linux-based botnet pushing 20 attacks a day

In a report released on Tuesday, Akamai has profiled several recent attacks from the XOR botnet, which is capable of DDoS attacks in excess of 150Gpbs. Researchers, after examining the more recent incidents, say that a vast majority of XOR’s targets are organizations in Asia.

Over the past year, explains Akamai’s Stuart Scholly, the XOR botnet has grown and is now capable of being used to stage massive DDoS attacks.

XOR is a Trojan that infects Linux systems. It’s usually installed after an attacker brute forces SSH sessions, or after they’ve compromised the system by targeting a secondary attack surface, such as a vulnerable app or system operator. Once XOR is installed, the system is added to the botnet, where the botmaster will leverage it for on-demand attacks.

XOR, Scholly continued, “is an example of attackers switching focus and building botnets using compromised Linux systems.”

Traditionally, Windows systems were the favorite of botmasters, but criminals have changed with the times.

The explosion of Linux-based networks in the data center have become a prime target, because systems administrators often forget that Linux needs to be maintained too. However, because Linux has a reputation of resiliency, administrators have adopted an “if it isn’t broke” mentality to patching, operations, and maintenance.

Other examples of Linux-based botnets include those managed by the Spike toolkit, as well as the IptabLes and IptabLex malware family.

Akamai’s research (from their SIRT) shows DDoS attacks coming from XOR starting at low, single-digit Gbps attacks, hitting a peak of 150+ Gbps. The most frequent target of the botnet was the gaming sector, followed by educational institutions.

XOR attacks up to 20 targets per day, and 90 percent of them are in Asia. According to the report, one recent attack hit 179Gbps, followed by another that topped out at 109 Gbps. Most of the attacks were SYN and DNS floods.

Indicators of infection:

Execution of the binary on the target operating system requires root privileges. Upon execution, it creates two copies of itself one copy in the /boot directory with a filename composed of 10 random alpha characters, and one copy in /lib/udev with a filename of udev.

To ensure persistence, the malware executes multiple short-lived processes that determine whether the main process is running. If not, it creates and executes a new copy in /boot using a new randomized 10-character name. The process is hidden using common rootkit techniques. Using tools that show running processes, the malware masks itself using the name of a common Linux tool (e.g., top, grep, ls, ifconfig) with an assortment of randomized flags to further blend in on a busy system…

For persistence after reboot, the bot creates a startup script in /etc/init.d directory, using the same filename as the malware dropped in /boot

The full report on XOR from Akamai, which includes YARA rules to detect infection, is available online.

The bottom line, Akamai concludes, if your NOC is running windows, it isn’t bullet proof:

Attackers are targeting poorly configured and unmaintained Linux systems for use in botnets and DDoS campaigns.

A decade ago, Linux was seen as the more secure alternative to Windows environments, which suffered the lion’s share of attacks at the time, and companies increasingly adopted Linux as part of their security-hardening efforts.

As the number of Linux environments has grown, the potential opportunity and rewards for criminals has also grown. Attackers will continue to evolve their tactics and tools and security professionals should continue to harden their Linux based systems accordingly.