DDoS malware for Linux systems comes with sophisticated custom-built rootkit

XOR.DDoS is distributed through SSH brute-force password guessing attacks

A malware program designed for Linux systems, including embedded devices with ARM architecture, uses a sophisticated kernel rootkit that's custom built for each infection.

The malware, known as XOR.DDoS, was first spotted in September by security research outfit Malware Must Die. However, it has since evolved and new versions were seen in the wild as recently as Jan. 20, according to a new report Thursday from security firm FireEye, which analyzed the threat in detail.

XOR.DDoS is installed on targeted systems via SSH (Secure Shell) brute-force attacks launched primarily from Internet Protocol (IP) addresses registered to a Hong Kong-based company called Hee Thai Limited.

The attacks attempt to guess the password for the root account by using different dictionary-based techniques and password lists from past data breaches. FireEye observed well over 20,000 SSH login attempts per targeted server within a 24-hour period and more than 1 million per server between mid-November and end of January.

When the attackers manage to guess the root password they send a complex SSH remote command -- sometimes over 6,000 characters long -- that consists of multiple shell commands separated by semicolons. These commands download and execute various scripts as part of a sophisticated infection chain that relies on an on-demand malware building system.

The use of SSH remote commands is significant because OpenSSH does not log such commands, "even when logging is configured to the most verbose setting," the FireEye researchers said. "Since a remote command doesn't create a terminal session, TTY logging systems also do not capture these events. Both the last and lastlog commands, which display listings of recent logins, are also blind."

The initial scripts harvest Linux kernel headers from infected systems and also extract the "vermagic" string from the existing loadable kernel modules (LKMs). This information is sent back to attacker-controlled servers and is used to automatically build rootkits that function as LKMs and are customized for each infected system.

This sophisticated on-demand build infrastructure automates the creation of LKM rootkits for different kernels and architectures as each LKM needs to be compiled for the particular kernel it's intended to run on.

"Unlike Windows, which has a stable kernel API allowing for the creation of code that is portable between kernel versions, the Linux kernel lacks such an API," the FireEye researchers said. "Since the kernel's internals change from version to version, a LKM must be binary compatible with the kernel."

The rootkit's goal is to hide the processes, files and ports associated with XOR.DDoS, a malware program that's also installed on the compromised systems and is primarily used by attackers to launch distributed denial-of-service (DDoS) attacks.

"Unlike typical straightforward DDoS bots, XOR.DDoS is one of the more sophisticated malware families to target the Linux OS," the FireEye researchers said. "It's also multi-platform, with C/C++ source code that can be compiled to target x86, ARM and other platforms."

XOR.DDoS can also download and execute arbitrary binary files, which gives it the ability to update itself. FireEye observed two major versions of XOR.DDoS so far, the second one being first spotted at the end of December.

Networking and embedded devices are more likely to be vulnerable to SSH brute force attacks and it might not be possible for end-users to easily protect them, the FireEye researchers said.

There are many embedded devices that are configured for remote administration and are accessible over the Internet. In 2012, an anonymous researcher was able to hijack 420,000 such devices that had default or no telnet login passwords. He used them to scan the entire Internet as part of a research project that became known as the Internet Census 2012.

The number of devices that are accessible via SSH and use weak passwords that would be vulnerable to complex brute-force attacks like the ones used by the XOR.DDoS gang, is likely to be much higher.

If possible, the SSH servers on these devices should be configured to use cryptographic keys instead of passwords for authentication and remote login should be disabled for their root accounts, the FireEye researchers said. "Home and small business users can install the open source fail2ban utility, which works with iptables to detect and block brute force attacks."

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionsecurityAccess control and authenticationFireEyeMalware Must Diemalware

More about ARMFireEyeLinuxSSH

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place