Microsoft: This botnet is growing fast and hunting for servers with weak passwords

Protect your Linux servers from XorDdos, a botnet scanning the internet for SSH servers with weak passwords, Microsoft warns.
Written by Liam Tung, Contributing Writer

Microsoft has seen a 254% increase in activity over the past few months from XorDDoS, a roughly eight-year-old network of infected Linux machines that is used for distributed denial of service (DDoS) attacks.  

XorDdos conducts automated password-guessing attacks across thousands of Linux servers to find matching admin credentials used on Secure Shell (SSH) servers. SSH is a secure network communications protocol commonly used for remote system administration.

Once credentials are gained, the botnet uses root privileges to install itself on a Linux device and uses XOR-based encryption to communicate with the attacker's command and control infrastructure. 

SEE: Microsoft warns: This botnet has new tricks to target Linux and Windows systems

While DDoS attacks are a serious threat to system availability and are growing in size each year, Microsoft is worried about other capabilities of these botnets. 

"We found that devices first infected with XorDdos were later infected with additional malware such as the Tsunami backdoor, which further deploys the XMRig coin miner," Microsoft notes

XorDDoS was one of the most active Linux-based malware families of 2021, according to Crowdstrike. The malware has thrived off the growth of Internet of Things (IoT) devices, which mostly run on variants of Linux, but it has also targeted misconfigured Docker clusters in the cloud. Other top malware families targeting IoT devices include Mirai and Mozi. 

Microsoft didn't see XorDdos directly installing and distributing the Tsunami backdoor, but its researchers think XorDdos is used as a vector for follow-on malicious activities.

XorDdos can hide its activities from common detection techniques. In a recent campaign, Microsoft saw it overwriting sensitive files with a null byte. 

"Its evasion capabilities include obfuscating the malware's activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis. We observed in recent campaigns that XorDdos hides malicious activities from analysis by overwriting sensitive files with a null byte. It also includes various persistence mechanisms to support different Linux distributions," Microsoft notes.    

The XorDdos payload Microsoft analyzed is a 32-bit Linux format ELF file with a modular binary written in C/C++. Microsoft notes XorDdos uses a daemon process that runs in the background, outside the control of users, and terminates when the system is shutdown. 

SEE: Just in time? Bosses are finally waking up to the cybersecurity threat

But the malware can automatically relaunch when a system is restarted thanks to several scripts and commands that cause it to automatically run when a system boots. 

XorDdoS can perform multiple DDoS attack techniques, including SYN flood attacks, DNS attacks, and ACK flood attacks. 

It collects characteristics about an infected device, including the magic string, OS release version, malware version, rootkit presence, memory stats, CPU information, and LAN speed, which are encrypted and then sent to the C2 server. 

Editorial standards