Microsoft sounds the alarm on – wait for it – a Linux botnet

Redmond claims the numbers are scary, but won't release them


Microsoft has sounded the alarm on DDoS malware called XorDdos that targets Linux endpoints and servers.

The trojan, first discovered in 2014 by security research group MalwareMustDie, was named after its use of XOR-based encryption and the fact that is amasses botnets to carry out distributed denial-of-service attacks. Over the last six months, Microsoft threat researchers say they've witnessed a 254 percent spike in the malware's activity. 

"XorDdos depicts the trend of malware increasingly targeting Linux-based operating systems, which are commonly deployed on cloud infrastructures and Internet of Things (IoT) devices," Redmond warned

And to illustrate this trend, Redmond noted that over the course of the XorDdos malware's 8-year reign of terror, it has hit a whopping (checks Microsoft's numbers)... err, we have no idea how many devices it has infected. The blog doesn't say. It also doesn't give any baseline for the 254 percent increase. And Microsoft said it wouldn't have them until the middle of next week.  

To be clear: we are not minimizing the disruptive nature of DDoS attacks, which, as we've seen in recent months, can be weaponized by rogue nations and other miscreants to knock government agencies and businesses offline. And when these botnets disrupt websites providing news and public services information in combat zones, DDoS activity becomes even more dangerous.

"DDoS attacks in and of themselves can be highly problematic for numerous reasons, but such attacks can also be used as cover to hide further malicious activities, like deploying malware and infiltrating target systems," the Microsoft 365 Defender Research Team wrote. 

We wholeheartedly agree. 

But you know what else is equally dangerous as Linux botnets? Windows botnets.

Take the Windows-device-targeting Purple Fox malware, for example, which was also discovered in 2018.

Guardicore security researchers recently wrote about how this botnet's malicious activity has jumped 600 percent since May 2020, and infected more than 90,000 devices in the past year alone. But Microsoft didn't blog about this one.

To be fair, Microsoft's Security Intelligence team this week did warn about a new variant of the Sysrv moreno-mining botnet that targets both Linux and Windows systems.

But from where we sit, it definitely appears that Redmond finds a whole lot more joy in bashing Linux than, say, looking in the mirror at its own flaws.

How XorDdos evades detection

In the new blog about XorDdos, Microsoft noted that the malware uses secure shell (SSH) brute force attacks to gain control on target devices. Once it successfully finds the right root credential combination, it uses one of two methods for initial access, both of which result in running a malicious ELF file – the XorDdos malware.

The binary is programmed in C/C++ and its code is modular, according to the research team. And it uses specific functionalities to evade detection. 

As noted above, one of these is XOR-based encryption to obfuscate data. Additionally, XorDdos uses daemon processes – these are processes running in the background – to break process tree-based analysis. The malware also uses its kernel rootkit component to hide its processes and ports, thus helping it evade rule-based detection.

Additionally, the stealthy malware uses several persistence mechanisms to support different Linux distributions, so it's good at infecting a range of different systems.

"XorDdos and other threats targeting Linux devices emphasize how crucial it is to have security solutions with comprehensive capabilities and complete visibility spanning numerous distributions of Linux operating systems," Redmond noted in the blog. 

And guess who just happens to sell said security solutions? ®


Other stories you might like

  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • Arrogant, subtle, entitled: 'Toxic' open source GitHub discussions examined
    Developer interactions sometimes contain their own kind of poison

    Analysis Toxic discussions on open-source GitHub projects tend to involve entitlement, subtle insults, and arrogance, according to an academic study. That contrasts with the toxic behavior – typically bad language, hate speech, and harassment – found on other corners of the web.

    Whether that seems obvious or not, it's an interesting point to consider because, for one thing, it means technical and non-technical methods to detect and curb toxic behavior on one part of the internet may not therefore work well on GitHub, and if you're involved in communities on the code-hosting giant, you may find this research useful in combating trolls and unacceptable conduct.

    It may also mean systems intended to automatically detect and report toxicity in open-source projects, or at least ones on GitHub, may need to be developed specifically for that task due to their unique nature.

    Continue reading
  • Microsoft unboxes Exchange Online certification in bid to push customers off-prem
    More support engineers needed to keep the email flowing, it seems

    Microsoft has added a certification to augment the tired eyes and haunted expressions of Exchange support engineers.

    The "Microsoft 365 Certified: Exchange Online Support Engineer Specialty certification" was unveiled yesterday and requires you to pass the "MS-220: Troubleshooting Microsoft Exchange Online" exam.

    Continue reading
  • Unpatched Exchange server, stolen RDP logins... How miscreants get BlackCat ransomware on your network
    Microsoft details this ransomware-as-a-service

    Two of the more prolific cybercriminal groups, which in the past have deployed such high-profile ransomware families as Conti, Ryuk, REvil and Hive, have started adopting the BlackCat ransomware-as-as-service (RaaS) offering.

    The use of the modern Rust programming language to stabilize and port the code, the variable nature of RaaS, and growing adoption by affiliate groups all increase the chances that organizations will run into BlackCat – and have difficulty detecting it – according to researchers with the Microsoft 365 Defender Threat Intelligence Team.

    In an advisory this week, Microsoft researchers noted the myriad capabilities of BlackCat, but added the outcome is always the same: the ransomware is deployed, files are stolen and encrypted, and victims told to either pay the ransom or risk seeing their sensitive data leaked.

    Continue reading

Biting the hand that feeds IT © 1998–2022