Cybercrooks have built a network of compromised Linux servers capable of blowing websites and other systems off the internet with at least 150Gbps of junk traffic.
The XOR Distributed Denial of Service (DDoS) botnet is launching 20 attacks a day from compromised machines, according to Akamai. 90 per cent of the attacks from the malware-infected computers are being thrown against organizations in Asia. The most frequent target is the gaming sector, followed by educational institutions.
The botnet's malware installs a backdoor in compromised systems that puts them under the control of the network's criminal masterminds. Initially, attackers gain root access by brute-forcing a machine's SSH service – disabling root login from SSH, or using a very strong password, will defeat this.
Once a root login has been acquired, the attackers use their root privileges to run a bash shell script that downloads and executes the malicious binary. Thereafter, hackers can use compromised systems as a platform to flood targets with either junk SYN or DNS traffic. The IP address of the bot is sometimes spoofed, but not always, according to Akamai.
The bandwidth of DDoS attacks ranged from single-digit Gbps to 179Gbps, a huge attack volume. The biggest recorded DDoS attacks have hit 400Gbps.
"Over the past year, the XOR DDoS botnet has grown and is now capable of being used to launch huge DDoS attacks," said Stuart Scholly, senior vice president and general manager of the security business unit, Akamai. "XOR DDoS is an example of attackers switching focus and building botnets using compromised Linux systems to launch DDoS attacks. This happens much more frequently now than in the past, when Windows machines were the primary targets for DDoS malware."
More about the threat, malware removal, and DDoS mitigation techniques can be found in a threat advisory by Akamai here. ®