Linux botnet attacks increase in scale

Linux-targeting malware family is a "high" risk, warn security researchers.
Written by Danny Palmer, Senior Writer

Linux botnets are causing more trouble.

Image: iStock

Hackers are using malware which targets Linux to build botnets to launch distributed denial of service (DDoS attacks) security researchers have warned.

The so-called BillGates Trojan botnet family of malware - apparently so named by the virus writers because it targets machines running Linux, not Windows - has been labelled with a "high" risk factor in a threat advisory issued by Akamai's Security Intelligence Research Team.

Akamai said the biggest attack to date using such a botnet occurred towards the end of 2015.

"The biggest attack campaign observed, including malicious traffic from the BillGates botnet along with other various attack vectors, was on December 30, 2015 and had a well-distributed peak bandwidth of about 308 Gbps across our scrubbing centers," the advisory said, and Akamai warns that the power of the attacks is on the rise - which is why the malware has been given a "high" risk factor.

It said these botnets have grown significantly and are large enough to launch attacks using more than 100Gbps of "attack traffic" and are also used in conjunction with other DDoS frameworks attacks.

According to Akamai, the rise in these botnets follows the takedown of the XOR botnet, because "malware actors began using different means and/or different botnets to continue their onslaught of attacks directed at the same primary group of targets".

"This awareness of activity observed by Akamai over the last 6 months has warranted the release of this advisory," the advisory said.

Akamai warn that the botnets are using a variety of attack vectors - including ICMP flood, TCP flood, UDP flood, SYN flood, HTTP Flood, and DNS query-of-reflection flood - to carry out brute force attacks against targets in a method similar to that of the XOR botnet, which is of Asian origin.

Once the malware has infected a system, it is capable of performing a number of different attack functions, including launching DDoS attacks - with SYN and DNS Floods used most frequently - opening ports and services, and potentially taking full control over the infected system, which can then be used to launch further attacks in a vicious cycle.


Editorial standards