Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Wednesday September 30 2015, @06:41AM   Printer-friendly [Skip to comment(s)]
from the linux-has-hit-the-big-time dept.

Security researchers have uncovered a network of infected Linux computers that's flooding gaming and education sites with as much as 150 gigabits per second of malicious traffic—enough in some cases to take the targets completely offline.

The XOR DDoS or Xor.DDoS botnet, as the distributed denial-of-service network has been dubbed, targets as many as 20 sites each day, according to an advisory published Tuesday by content delivery network Akamai Technologies. About 90 percent of the targets are located in Asia. In some cases, the IP address of the participating bot is spoofed in a way that makes the compromised machines appear to be part of the network being targeted. That technique can make it harder for defenders to stop the attack.

"In short: Xor.DDoS is a multi-platform, polymorphic malware for Linux OS, and its ultimate goal is to DDoS other machines," a separate writeup on the botnet explained. "The name Xor.DDoS stems from the heavy usage of XOR encryption in both malware and network communication to the C&Cs (command and control servers)."

XOR DDoS takes hold by cracking weak passwords used to protect the command shell of Linux computers. Once the attackers have logged in, they use root privileges to run a script that downloads and executes a malicious binary file. There's no evidence XOR DDoS infects computers by exploiting vulnerabilities in the Linux operating system itself. Akamai's advisory has intrusion-prevention-system signatures for detecting infections and instructions for removing the malware.

"Over the past year, the XOR DDoS botnet has grown and is now capable of being used to launch huge DDoS attacks," Stuart Scholly, senior vice president and general manager of Akamai's Security Business Unit, said in a statement. "XOR DDoS is an example of attackers switching focus and building botnets using compromised Linux systems to launch DDoS attacks. This happens much more frequently now than in the past, when Windows machines were the primary targets for DDoS malware."


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Touché) by Anonymous Coward on Wednesday September 30 2015, @06:48AM

    by Anonymous Coward on Wednesday September 30 2015, @06:48AM (#243409)
    Like MS-DOS.

    Secure by Default. Zero remote holes in the default install.

    More secure than OpenBSD by their own silly measurement.

    ;)
    • (Score: 2) by Hyperturtle on Wednesday September 30 2015, @06:09PM

      by Hyperturtle (2824) on Wednesday September 30 2015, @06:09PM (#243624)

      You can install windows 10 from an ISO image as I did, with no NIC.

      It's... secure, sure. but it is not nearly as useful as DOS was, because the later versions of DOS at least had some help menus for many of the programs included relating to the management of DOS that were actually stored locally on disk. Not so with Windows 10.

      It also did not try to sell you things directly, aside perhaps from including the most basic defrag or memory management programs after complaints that these were needed, but they couldn't compete directly with people that sold products that did those things well, etc.

      Most of that mindset is long gone.

      At least with DOS, the PC often came with a means of loading in software in fashion not considered to be a hacker activity, as "side-loading" applications is often viewed as today.

  • (Score: 1, Insightful) by Anonymous Coward on Wednesday September 30 2015, @06:50AM

    by Anonymous Coward on Wednesday September 30 2015, @06:50AM (#243410)

    The best operating system doesn't help against insecure passwords.

    • (Score: 3, Funny) by pkrasimirov on Wednesday September 30 2015, @07:01AM

      by pkrasimirov (3358) Subscriber Badge on Wednesday September 30 2015, @07:01AM (#243414)

      "I'm sorry, Dave. I'm afraid I can't do that."

    • (Score: 0) by Anonymous Coward on Wednesday September 30 2015, @07:10AM

      by Anonymous Coward on Wednesday September 30 2015, @07:10AM (#243415)

      OpenSSH comes with password authentication turned off by default, so unless an OS goes out of the way to be INsecure, it will help against insecure passwords.

      • (Score: 1) by canopic jug on Wednesday September 30 2015, @07:53AM

        by canopic jug (3949) Subscriber Badge on Wednesday September 30 2015, @07:53AM (#243427) Journal

        Only for root. See rev. 1.96 [openbsd.org] of the sshd configuration file. You'd have to make that change yourself to cover the regular accounts, too.

        But a lame root password is apparently the main way in [blogspot.com].

        --
        Money is not free speech. Elections should not be auctions.
        • (Score: 3, Informative) by TheLink on Wednesday September 30 2015, @09:28AM

          by TheLink (332) on Wednesday September 30 2015, @09:28AM (#243443) Journal
          Thing is does the malware really need root to achieve its goals?

          I would think that normal user privileges are enough to do most botnet stuff.
          User level "crontab" and "at" to hook itself in more securely. For bonus points[1] change the path and some command shell aliases (like ls, sudo).
          User level network access is enough to DDoS and get new commands.
          user level process is enough to do bitcoin etc mining.

          So a mere drive by browser exploit could install such a malware. Unless of course the browser is sandboxed properly. But are the default sandboxes for browsers on linux distros good enough to prevent this? When I checked Ubuntu years ago the default apparmor sandbox for Firefox wasn't that secure - the browser could still access quite a lot.

          [1] For even more bonus points fix set, top, ps, sha1sum etc to make it hard to detect the malware.
          • (Score: 2) by cykros on Wednesday September 30 2015, @01:00PM

            by cykros (989) on Wednesday September 30 2015, @01:00PM (#243478)

            I think that while you can do a lot with a normal user, root is a user that can usually safely be assumed to exist on just about all systems, without needing to use another method to enumerate users on a machine. With enough machines with weak root passwords (and remote access), there's not sufficient reason to expend the energy going after the rest if all you're trying to do is make a moderate sized botnet for DDoS attacks.

            • (Score: 0) by Anonymous Coward on Wednesday September 30 2015, @01:15PM

              by Anonymous Coward on Wednesday September 30 2015, @01:15PM (#243483)

              As soon as you're running on a machine, regardless of user, you know that your account exists... Which account is this you ask? How about $USER (or %USERNAME% on Window).
              Environment variables are a great thing...

    • (Score: 2, Funny) by Anonymous Coward on Wednesday September 30 2015, @09:55AM

      by Anonymous Coward on Wednesday September 30 2015, @09:55AM (#243449)

      That's why I upgraded to Windows 10.

    • (Score: 0) by Anonymous Coward on Wednesday September 30 2015, @09:57AM

      by Anonymous Coward on Wednesday September 30 2015, @09:57AM (#243451)

      How about if users had two passwords?

      For the user it is an additional inconvienience of having to remember two passwords.

      For an attacker it increases the length of time required to guess a password exponentially.

      Also, systems should add a 1 second delay per password failure increasing by 1 second per failure.

      Pity these systems did not silently disable the account for 12 hours after 10 failures.

      • (Score: 0) by Anonymous Coward on Wednesday September 30 2015, @01:17PM

        by Anonymous Coward on Wednesday September 30 2015, @01:17PM (#243484)

        What's your IP? Let me see whether I can block you from using your computer for 12 hours...
        And *that* is why systems don't do that...

        • (Score: 0) by Anonymous Coward on Wednesday September 30 2015, @03:24PM

          by Anonymous Coward on Wednesday September 30 2015, @03:24PM (#243538)

          What's your IP? Let me see whether I can block you from using your computer for 12 hours...

          127.0.0.1

  • (Score: 2) by ticho on Wednesday September 30 2015, @07:46AM

    by ticho (89) on Wednesday September 30 2015, @07:46AM (#243425) Homepage Journal

    How is this new? I've been cleaning up infections like this from small, neglected Linux servers 10 years ago. They all worked by abusing weak passwords (not necessarily of root account), downloaded their stuff and used IRC to receive instructions.

    • (Score: 0) by Anonymous Coward on Wednesday September 30 2015, @02:51PM

      by Anonymous Coward on Wednesday September 30 2015, @02:51PM (#243529)

      Some Windows 10 expert (aka noob) wanted to stir up some crap about Linux

  • (Score: 4, Interesting) by Gravis on Wednesday September 30 2015, @07:49AM

    by Gravis (4596) on Wednesday September 30 2015, @07:49AM (#243426)

    it's pretty obvious that this is part of a larger effort because there is an embedded password dictionary that it tries. so when domain XYZ is compromised and the passwords are stored insecurely, they add it to the list. how else do you explain having "5faWed2ff8aE116e3X1aefaZ000f719Qf40obe" on the list?

    • (Score: 0) by Anonymous Coward on Wednesday September 30 2015, @09:59PM

      by Anonymous Coward on Wednesday September 30 2015, @09:59PM (#243711)

      how else do you explain having "5faWed2ff8aE116e3X1aefaZ000f719Qf40obe" on the list?

      That's the base64 of the md5 of the combination to my luggage!

  • (Score: 5, Insightful) by PizzaRollPlinkett on Wednesday September 30 2015, @11:18AM

    by PizzaRollPlinkett (4512) on Wednesday September 30 2015, @11:18AM (#243462)

    Wait, I read the article ... " (brute forcing the SSH credentials of the root user) " ... people allow logins to the root user over the Internet? Really? For that matter, people allow password logins to SSH? Really? In 2015?

    What does this have to do with "Linux computers"? This is just stupidity that happens to involve Linux accidentally.

    Look, we put LINUX in the headline!!! LINUX isn't secure!!! It's a LINUX!!! security problem! CLICKBAIT!!! Can we use a blink tag?

    --> HEY!!! CLICK HERE!!! LINUX IS NOT SECURE!!! --

    I've noticed most "Linux" problems either don't have anything to do with Linux, or are so vague you can't really pin down any specifics.

    --
    (E-mail me if you want a pizza roll!)
    • (Score: 0) by Anonymous Coward on Wednesday September 30 2015, @01:26PM

      by Anonymous Coward on Wednesday September 30 2015, @01:26PM (#243488)

      Yep. The SoylentNews clickbait filter bit is set to zero.

    • (Score: 0) by Anonymous Coward on Wednesday September 30 2015, @02:39PM

      by Anonymous Coward on Wednesday September 30 2015, @02:39PM (#243520)

      There is always some exploit waiting out there. This is why I do not have any of those ports open to the internet. Even if I config it correctly and keep it all up to date. On top of that I have several items that will never get an update (for example my TV that has known exploits). Linux is secure but pretty much only if you are running the latest version. Like most OS's out there.

      I would like to have a shell port for remote admin. But just do not want to have to ass around with fixing a mess something like this would create.

    • (Score: 2) by Hyperturtle on Wednesday September 30 2015, @06:05PM

      by Hyperturtle (2824) on Wednesday September 30 2015, @06:05PM (#243623)

      Cosmopolitan also repeats the same articles on how to please your man with mind blowing tips about once every three years. New audience members, etc. And only so many ways to do it.

      Churches do the same with their stories on Sunday--rehashing old content for same reasons.

      As do these tech news websites.

    • (Score: 2) by darkfeline on Wednesday September 30 2015, @10:56PM

      by darkfeline (1030) on Wednesday September 30 2015, @10:56PM (#243737) Homepage

      There's nothing wrong with root logins. Hell, I would even say there's nothing wrong with password root logins, provided you use a strong password like NaQByIMZ9DpX8rkywJM8RjM5kRuZUO. This just comes down to stupidity or poor security practices, something which cannot be solved simply by disabling root login.

      --
      Join the SDF Public Access UNIX System today!
      • (Score: 0) by Anonymous Coward on Thursday October 01 2015, @02:09AM

        by Anonymous Coward on Thursday October 01 2015, @02:09AM (#243801)

        key-based login is dead simple in SSH and way more secure than any password.

      • (Score: 0) by Anonymous Coward on Thursday October 01 2015, @05:59PM

        by Anonymous Coward on Thursday October 01 2015, @05:59PM (#244121)

        there's no excuse for root login via ssh or password auth via ssh. if you allow either you are incompetent.

  • (Score: 0) by Anonymous Coward on Wednesday September 30 2015, @12:48PM

    by Anonymous Coward on Wednesday September 30 2015, @12:48PM (#243474)

    I think a lot of these computers are people that do not know better and run Kali because they are "hackers". You know the ones. They are the ones that ask you how to hack Facebook and use aircrack.

  • (Score: 4, Interesting) by VanessaE on Wednesday September 30 2015, @06:19PM

    by VanessaE (3396) <vanessa.e.dannenberg@gmail.com> on Wednesday September 30 2015, @06:19PM (#243630) Homepage Journal

    My remote server, which runs several gaming server instances in addition to the usual webserver and other stuff, got targeted by a DDoS recently. Same attack (from the same IPs) happened to three other people I know who also run multiple gaming instances. Greater than a 300 Gbps peak, said my hosting provider. All of the IP's involved originated in Asia; at least 20 hit my machine.

    The ports targeted had to do with various online games, although they were not related to the game servers that I and the other folks I mentioned run (Minetest, in this case. I forget now what the targets actually were).

    In my case, it forced me to move to a host that provides good DDoS protection.[*]

    I can't help but wonder if this botnet was the source.

    [*] For the record, the host at the time was at Hetzner Online AG, whose policy amounts to "Sorry, you got targeted, so we pulled the plug for however long we feel like it. Fuck you if you don't like it." If you have machines or services hosted there, move them ASAP.

  • (Score: 2) by Taibhsear on Wednesday September 30 2015, @08:28PM

    by Taibhsear (1464) on Wednesday September 30 2015, @08:28PM (#243688)

    How does one search their system to see if they are infected with this?