Skip links

Microsoft sounds the alarm on — wait for it — a Linux botnet

Microsoft has sounded the alarm on DDoS malware called XorDdos that targets Linux endpoints and servers.

The trojan, first discovered in 2014 by security research group MalwareMustDie, was named after its use of XOR-based encryption and the fact that is amasses botnets to carry out distributed denial-of-service attacks. Over the last six months, Microsoft threat researchers say they’ve witnessed a 254 percent spike in the malware’s activity. 

“XorDdos depicts the trend of malware increasingly targeting Linux-based operating systems, which are commonly deployed on cloud infrastructures and Internet of Things (IoT) devices,” Redmond warned

And to illustrate this trend, Redmond noted that over the course of the XorDdos malware’s 8-year reign of terror, it has hit a whopping — checks Microsoft’s numbers — err, we have no idea how many devices it has infected. The blog doesn’t say. It also doesn’t give any baseline for the 254 percent increase. And Microsoft said it wouldn’t have them until the middle of next week.  

To be clear: we are not minimizing the disruptive nature of DDoS attacks, which, as we’ve seen in recent months, can be weaponized by rogue nations and other miscreants to knock government agencies and businesses offline. And when these botnets disrupt websites providing news and public services information in combat zones, DDoS activity becomes even more dangerous.

“DDoS attacks in and of themselves can be highly problematic for numerous reasons, but such attacks can also be used as cover to hide further malicious activities, like deploying malware and infiltrating target systems,” the Microsoft 365 Defender Research Team wrote. 

We wholeheartedly agree. 

But you know what else is equally dangerous as Linux botnets? Windows botnets.

Take the Windows-device-targeting Purple Fox malware, for example, which was also discovered in 2018.

Guardicore security researchers recently wrote about how this botnet’s malicious activity has jumped 600 percent since May 2020, and infected more than 90,000 devices in the past year alone. But Microsoft didn’t blog about this one.

To be fair, Microsoft’s Security Intelligence team this week did warn about a new variant of the Sysrv moreno-mining botnet that targets both Linux and Windows systems.

But from where we sit, it definitely appears that Redmond finds a whole lot more joy in bashing Linux than, say, looking in the mirror at its own flaws.

How XorDdos evades detection

In the new blog about XorDdos, Microsoft noted that the malware uses secure shell (SSH) brute force attacks to gain control on target devices. Once it successfully finds the right root credential combination, it uses one of two methods for initial access, both of which result in running a malicious ELF file — the XorDdos malware.

The binary is programmed in C/C++ and its code is modular, according to the research team. And it uses specific functionalities to evade detection. 

As noted above, one of these is XOR-based encryption to obfuscate data. Additionally, XorDdos uses daemon processes — these are processes running in the background — to break process tree-based analysis. The malware also uses its kernel rootkit component to hide its processes and ports, thus helping it evade rule-based detection.

Additionally, the stealthy malware uses several persistence mechanisms to support different Linux distributions, so it’s good at infecting a range of different systems.

“XorDdos and other threats targeting Linux devices emphasize how crucial it is to have security solutions with comprehensive capabilities and complete visibility spanning numerous distributions of Linux operating systems,” Redmond noted in the blog. 

And guess who just happens to sell said security solutions? ®