XOR DDoS Botnet has Become Capable to Compromise Linux Machines - Akamai

Security experts of security firm Akamai say that cybercriminals have created a botnet competent of 150+ gigabit-per-seconds (Gbps) DDoS or distributed denial of service assault employing XOR DDoS that is a Trojan malware employed to compromise Linux systems.

According to Security Intelligence Response Team (SIRT), ninety percent of the DDoS attacks from XOR DDoS botnet are targeted at organisations in Asia and it launches over 20 attacks per day.

XOR DDoS is a Trojan malware infecting Linux systems which instructs them to carry out DDoS attacks on demand by a remote cybercriminal. Initially, attackers get access by brute force assaults to identify the password to Secure Shell services on a Linux system. Once logged in, attackers are root privileges to run a Bash shell script which downloads and executes the malicious binary.

Securityweek.com published news on 29th September, 2015 quoting Stuart Scholly, Senior Vice President and General Manager of Security Business Unit, Akamai as saying "Over the past year, XOR DDoS botnet has matured and is now capable of being employed to initiate huge DDoS attacks. XOR DDoS is an example of attackers swapping focus and constructing botnets by employing compromised Linux machines to initiate DDoS attacks. This happen much more often these days than in past days when DDoS malware used to attack mainly Windows machines.

Akamai said that the gaming sector has been the top target followed by educational institutions.

The security firm added that they don't have a clear number of systems infected by this malware.

Akamai has seen two attacks which reached almost 179 Gbps and 109 Gpbs using SYN and DNS floods.

According to Akamai, the IP address of the bot is at times tricked but not always.

Akamai says that XOR DDoS malware can be removed in four-step process.

The advisory summarizes two methods to detect the malware.

Scmagazine.com published news on 29th September, 2015 quoting the advisory as saying "To detect this botnet in your network, you can look for the interactions between a bot and its C2 by using the Snort rule. To identify contamination of this malware on your hosts, you can use the YARA rule (also in the advisory)."

» SPAMfighter News - 10/7/2015