Microsoft sounds the alarm on – wait for it – a Linux botnet

Redmond claims the numbers are scary, but won't release them


Microsoft has sounded the alarm on DDoS malware called XorDdos that targets Linux endpoints and servers.

The trojan, first discovered in 2014 by security research group MalwareMustDie, was named after its use of XOR-based encryption and the fact that is amasses botnets to carry out distributed denial-of-service attacks. Over the last six months, Microsoft threat researchers say they've witnessed a 254 percent spike in the malware's activity. 

"XorDdos depicts the trend of malware increasingly targeting Linux-based operating systems, which are commonly deployed on cloud infrastructures and Internet of Things (IoT) devices," Redmond warned

And to illustrate this trend, Redmond noted that over the course of the XorDdos malware's 8-year reign of terror, it has hit a whopping (checks Microsoft's numbers)... err, we have no idea how many devices it has infected. The blog doesn't say. It also doesn't give any baseline for the 254 percent increase. And Microsoft said it wouldn't have them until the middle of next week.  

To be clear: we are not minimizing the disruptive nature of DDoS attacks, which, as we've seen in recent months, can be weaponized by rogue nations and other miscreants to knock government agencies and businesses offline. And when these botnets disrupt websites providing news and public services information in combat zones, DDoS activity becomes even more dangerous.

"DDoS attacks in and of themselves can be highly problematic for numerous reasons, but such attacks can also be used as cover to hide further malicious activities, like deploying malware and infiltrating target systems," the Microsoft 365 Defender Research Team wrote. 

We wholeheartedly agree. 

But you know what else is equally dangerous as Linux botnets? Windows botnets.

Take the Windows-device-targeting Purple Fox malware, for example, which was also discovered in 2018.

Guardicore security researchers recently wrote about how this botnet's malicious activity has jumped 600 percent since May 2020, and infected more than 90,000 devices in the past year alone. But Microsoft didn't blog about this one.

To be fair, Microsoft's Security Intelligence team this week did warn about a new variant of the Sysrv moreno-mining botnet that targets both Linux and Windows systems.

But from where we sit, it definitely appears that Redmond finds a whole lot more joy in bashing Linux than, say, looking in the mirror at its own flaws.

How XorDdos evades detection

In the new blog about XorDdos, Microsoft noted that the malware uses secure shell (SSH) brute force attacks to gain control on target devices. Once it successfully finds the right root credential combination, it uses one of two methods for initial access, both of which result in running a malicious ELF file – the XorDdos malware.

The binary is programmed in C/C++ and its code is modular, according to the research team. And it uses specific functionalities to evade detection. 

As noted above, one of these is XOR-based encryption to obfuscate data. Additionally, XorDdos uses daemon processes – these are processes running in the background – to break process tree-based analysis. The malware also uses its kernel rootkit component to hide its processes and ports, thus helping it evade rule-based detection.

Additionally, the stealthy malware uses several persistence mechanisms to support different Linux distributions, so it's good at infecting a range of different systems.

"XorDdos and other threats targeting Linux devices emphasize how crucial it is to have security solutions with comprehensive capabilities and complete visibility spanning numerous distributions of Linux operating systems," Redmond noted in the blog. 

And guess who just happens to sell said security solutions? ®


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Unpatched Exchange server, stolen RDP logins... How miscreants get BlackCat ransomware on your network
    Microsoft details this ransomware-as-a-service

    Two of the more prolific cybercriminal groups, which in the past have deployed such high-profile ransomware families as Conti, Ryuk, REvil and Hive, have started adopting the BlackCat ransomware-as-as-service (RaaS) offering.

    The use of the modern Rust programming language to stabilize and port the code, the variable nature of RaaS, and growing adoption by affiliate groups all increase the chances that organizations will run into BlackCat – and have difficulty detecting it – according to researchers with the Microsoft 365 Defender Threat Intelligence Team.

    In an advisory this week, Microsoft researchers noted the myriad capabilities of BlackCat, but added the outcome is always the same: the ransomware is deployed, files are stolen and encrypted, and victims told to either pay the ransom or risk seeing their sensitive data leaked.

    Continue reading
  • Microsoft seizes 41 domains tied to 'Iranian phishing ring'
    Windows giant gets court order to take over dot-coms and more

    Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

    The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

    "Bohrium actors create fake social media profiles, often posing as recruiters," said Amy Hogan-Burney, GM of Microsoft's Digital Crimes Unit. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."

    Continue reading
  • World Economic Forum wants a global map of online crime
    Will cyber crimes shrug off Atlas Initiative? Objectively, yes

    RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

    The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

    This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

    Continue reading

Biting the hand that feeds IT © 1998–2022