Microsoft Detects a Significant Growth in Linux XorDDos Malware

A strain of Linux malware has been growing rapidly in the last six months. Microsoft is now urging owners to take several steps to secure their Linux devices.

Microsoft found that Linux devices that were first infected by XorDdos were then infected by malware, the Tsunami backdoor. Once the Tsunami backdoor infiltrates the device, it deploys the XMRif coin miner.

Hacked By Def Con Press Preview - 2016 Tribeca Film Festival
NEW YORK, NY - APRIL 15: A hacker using a laptop computer at the Hacked By Def Con Press Preview during the 2016 Tribeca Film Festival at Spring Studios on April 15, 2016 in New York City. Photo by Rob Kim/Getty Images for Tribeca Film Festiva

In an announcement by Microsoft, "While we did not observe XorDdos directly installing and distributing secondary payloads like Tsunami, it's possible that the trojan is leveraged as a vector for follow-on activities."

The XorDdos payload is a 32-bit Linux format ELF file with a modular binary written in C/C++. Microsoft also notes that it utilizes daemon process, which runs in the background beyond the control of users, and it then terminates when the system is shutdown.

However, the malware can relaunch automatically when a system is started through several scripts and commands that allow it to run when a system boots.

The XorDdos

This isn't the first time XorDdos has targeted Docker servers that are unprotected with exposed ports. It has attacked systems to overwhelm a target network or service with fake traffic to make it inaccessible.

With that, it has been named the top Linux-targeted threat in 2021. Furthermore, it has also been revealed that Linux malware families increased by roughly 40 percent in 2020 compared to 2019, according to a February 2021 report by Intezer.

According to researchers, it uses evasion and persistence mechanisms that make its operations stealthy and robust. The evasion capabilities include evading any rule-based detection mechanisms, the use of anti-forensic techniques, and obfuscating the malware's activities.

The XorDdos can conduct multiple attach techniques, such as DNS, SYN, and ACK attacks. It collects characteristics about an infected device, such as the magic string OS release version, rootkit presence, CPU information, and LAN speed, which are all encrypted and sent to the C2 server.

The Syrsrv-K

Earlier this week, Microsoft said that another botnet is targeting Windows. A new variant of Sysrv botnet is out there that is taking advantage of a flaw in the Spring Framework. The botnet installs cryptocurrency mining malware on Windows platforms as well as on other Linux systems.

A tweet from Microsoft reads, "Like older variants, Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself."

It also observed a new capability of the new variant that supports new communication, which includes its ability to use a Telegram bot.

This article is owned by Tech Times

Written by April Fowell

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Tags:Linux
Join the Discussion
Real Time Analytics