Security researchers at one of the biggest media delivery company’s in the world have uncovered a network of infected Linux machines that are attacking gaming and education-based sites with as much as 150 gigabits per-second of faulty and malicious traffic, knocking a number of sites offline.
The botnet or infected Linux servers, dubbed XOR DDoS or Xor.DDoS botnet has been targeting as many as 20 sites per day, according to a security advisory published Tuesday by the content delivery network Akami Technologies. Roughly 90 percent of the traffic is routing from Asia. Attackers are abusing a specific technique to spoof their IP address to make the compromised server believe it is apart of the network being attacked, making it much harder to stop and defend from the attack.
“In short: Xor.DDoS is a multi-platform, polymorphic malware for Linux OS, and its ultimate goal is to DDoS other machines,” a separate researcher wrote on their findings with the Xor DDoS botent. “The name Xor.DDoS stems from the heavy usage of XOR encryption in both malware and network communication to the C&Cs (command and control servers).”
XOR DDoS botnet infects Linux machines by cracking weak passwords that administrators set to protect the command shell. Once attackers gain access, they use root privileges to run a script that downloads and executes a malicious binary file. Once the infection is complete, no evidence is left behind for administrators to know their server was exploited by specific vulnerabilities within the Linux operating system. Akami published the intrusion-prevention-system signatures for detecting Linux servers being targeted by the attack alongside instructions for removing the malware.
“Over the past year, the XOR DDoS botnet has grown and is now capable of being used to launch huge DDoS attacks,” said Stuart Scholly, senior vice president and general manager of Akami’s Security Business Unit, in a statement. “XOR DDoS is an example of attackers switching focus and building botnets using compromised Linux systems to launch DDoS attacks. This happens much more frequently now than in the past, when Windows machines were the primary targets for DDoS malware.”