Microsoft has raised the alarm about DDoS malware called XorDdos that targets Linux endpoints and servers.
The Trojan was first discovered in 2014 by security research group MalwareMustDie, after its use of XOR-based encryption and the fact that it jams botnets to carry out distributed denial of service attacks. Over the past six months, Microsoft threat researchers say they have seen a 254% rise in malware activity.
“XorDdos visualizes the trend of malware increasingly targeting Linux-based operating systems, commonly deployed on cloud infrastructures and Internet of Things (IoT) devices,” Redmond warned.
To illustrate this trend, Redmond points out that over the 8-year period of the XorDdos malware terror, it’s hit a gigantic level (checks Microsoft numbers)…False, we have no idea how many devices it has infected. Blog does not say. It also gives no baseline for the 254 percent increase. Microsoft said it won’t get it until the middle of next week.
To be clear: We do not underestimate the disruptive nature of DDoS attacks, which, as we’ve seen in recent months, can be armed By rogue states and other miscreants to hit government agencies and businesses offline. And when these botnets disrupt websites that provide news and public service information in combat zones, DDoS activity becomes even more dangerous.
“DDoS attacks themselves can be very problematic for many reasons, but such attacks can also be used as cover to disguise further malicious activities, such as spreading malware and hacking target systems,” wrote the Microsoft 365 Defender Research Team.
We wholeheartedly agree.
But you know what’s just as dangerous as bots on Linux? Windows botnets.
Take, for example, the Purple Fox malware targeting Windows devices, which was also discovered in 2018.
Guardicore security researchers recently books On how the malicious activity of these bots has jumped 600 percent since May 2020, infecting more than 90,000 devices in the last year alone. But Microsoft did not blog about this.
To be fair, the Microsoft Security Intelligence team did this week warning About a new type of Sysrv moreno mining botnet targeting Linux and Windows systems.
But from where we’re sitting, Redmond definitely seems to find a lot of joy in him Linux bashing From, for example, looking in the mirror to its flaws.
How XorDdos evades detection
In the new blog about XorDdos, Microsoft indicated that the malware uses Secure Shell (SSH) brute force attacks to take over target devices. Once the correct root credential set is successfully found, it uses one of two methods for initial access, both of which trigger an ELF malicious file – the XorDdos malware.
The binary was programmed in C/C++ and its code is modular, according to the research team. It uses specific functions to avoid detection.
As mentioned above, one of them is XOR-based encryption for data hiding. In addition, XorDdos uses daemon processes – which are processes that run in the background – to break down the tree-based analysis process. Malware also uses the kernel’s rootkit to hide its processes and ports, thus helping it to evade rule-based detection.
In addition, stealth malware uses several persistence mechanisms to support different Linux distributions, so it is good at infecting a range of different systems.
Redmond noted in the blog that “XorDdos and other threats targeting Linux machines underline the importance of security solutions with comprehensive capabilities and full visibility across multiple Linux distributions.”
And guess who happened to sell these security solutions? ®