Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Wednesday September 30 2015, @06:41AM   Printer-friendly
from the linux-has-hit-the-big-time dept.

Security researchers have uncovered a network of infected Linux computers that's flooding gaming and education sites with as much as 150 gigabits per second of malicious traffic—enough in some cases to take the targets completely offline.

The XOR DDoS or Xor.DDoS botnet, as the distributed denial-of-service network has been dubbed, targets as many as 20 sites each day, according to an advisory published Tuesday by content delivery network Akamai Technologies. About 90 percent of the targets are located in Asia. In some cases, the IP address of the participating bot is spoofed in a way that makes the compromised machines appear to be part of the network being targeted. That technique can make it harder for defenders to stop the attack.

"In short: Xor.DDoS is a multi-platform, polymorphic malware for Linux OS, and its ultimate goal is to DDoS other machines," a separate writeup on the botnet explained. "The name Xor.DDoS stems from the heavy usage of XOR encryption in both malware and network communication to the C&Cs (command and control servers)."

XOR DDoS takes hold by cracking weak passwords used to protect the command shell of Linux computers. Once the attackers have logged in, they use root privileges to run a script that downloads and executes a malicious binary file. There's no evidence XOR DDoS infects computers by exploiting vulnerabilities in the Linux operating system itself. Akamai's advisory has intrusion-prevention-system signatures for detecting infections and instructions for removing the malware.

"Over the past year, the XOR DDoS botnet has grown and is now capable of being used to launch huge DDoS attacks," Stuart Scholly, senior vice president and general manager of Akamai's Security Business Unit, said in a statement. "XOR DDoS is an example of attackers switching focus and building botnets using compromised Linux systems to launch DDoS attacks. This happens much more frequently now than in the past, when Windows machines were the primary targets for DDoS malware."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Insightful) by Anonymous Coward on Wednesday September 30 2015, @06:50AM

    by Anonymous Coward on Wednesday September 30 2015, @06:50AM (#243410)

    The best operating system doesn't help against insecure passwords.

    Starting Score:    0  points
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  

    Total Score:   1  
  • (Score: 3, Funny) by pkrasimirov on Wednesday September 30 2015, @07:01AM

    by pkrasimirov (3358) Subscriber Badge on Wednesday September 30 2015, @07:01AM (#243414)

    "I'm sorry, Dave. I'm afraid I can't do that."

  • (Score: 0) by Anonymous Coward on Wednesday September 30 2015, @07:10AM

    by Anonymous Coward on Wednesday September 30 2015, @07:10AM (#243415)

    OpenSSH comes with password authentication turned off by default, so unless an OS goes out of the way to be INsecure, it will help against insecure passwords.

    • (Score: 1) by canopic jug on Wednesday September 30 2015, @07:53AM

      by canopic jug (3949) Subscriber Badge on Wednesday September 30 2015, @07:53AM (#243427) Journal

      Only for root. See rev. 1.96 [openbsd.org] of the sshd configuration file. You'd have to make that change yourself to cover the regular accounts, too.

      But a lame root password is apparently the main way in [blogspot.com].

      --
      Money is not free speech. Elections should not be auctions.
      • (Score: 3, Informative) by TheLink on Wednesday September 30 2015, @09:28AM

        by TheLink (332) on Wednesday September 30 2015, @09:28AM (#243443) Journal
        Thing is does the malware really need root to achieve its goals?

        I would think that normal user privileges are enough to do most botnet stuff.
        User level "crontab" and "at" to hook itself in more securely. For bonus points[1] change the path and some command shell aliases (like ls, sudo).
        User level network access is enough to DDoS and get new commands.
        user level process is enough to do bitcoin etc mining.

        So a mere drive by browser exploit could install such a malware. Unless of course the browser is sandboxed properly. But are the default sandboxes for browsers on linux distros good enough to prevent this? When I checked Ubuntu years ago the default apparmor sandbox for Firefox wasn't that secure - the browser could still access quite a lot.

        [1] For even more bonus points fix set, top, ps, sha1sum etc to make it hard to detect the malware.
        • (Score: 2) by cykros on Wednesday September 30 2015, @01:00PM

          by cykros (989) on Wednesday September 30 2015, @01:00PM (#243478)

          I think that while you can do a lot with a normal user, root is a user that can usually safely be assumed to exist on just about all systems, without needing to use another method to enumerate users on a machine. With enough machines with weak root passwords (and remote access), there's not sufficient reason to expend the energy going after the rest if all you're trying to do is make a moderate sized botnet for DDoS attacks.

          • (Score: 0) by Anonymous Coward on Wednesday September 30 2015, @01:15PM

            by Anonymous Coward on Wednesday September 30 2015, @01:15PM (#243483)

            As soon as you're running on a machine, regardless of user, you know that your account exists... Which account is this you ask? How about $USER (or %USERNAME% on Window).
            Environment variables are a great thing...

  • (Score: 2, Funny) by Anonymous Coward on Wednesday September 30 2015, @09:55AM

    by Anonymous Coward on Wednesday September 30 2015, @09:55AM (#243449)

    That's why I upgraded to Windows 10.

  • (Score: 0) by Anonymous Coward on Wednesday September 30 2015, @09:57AM

    by Anonymous Coward on Wednesday September 30 2015, @09:57AM (#243451)

    How about if users had two passwords?

    For the user it is an additional inconvienience of having to remember two passwords.

    For an attacker it increases the length of time required to guess a password exponentially.

    Also, systems should add a 1 second delay per password failure increasing by 1 second per failure.

    Pity these systems did not silently disable the account for 12 hours after 10 failures.

    • (Score: 0) by Anonymous Coward on Wednesday September 30 2015, @01:17PM

      by Anonymous Coward on Wednesday September 30 2015, @01:17PM (#243484)

      What's your IP? Let me see whether I can block you from using your computer for 12 hours...
      And *that* is why systems don't do that...

      • (Score: 0) by Anonymous Coward on Wednesday September 30 2015, @03:24PM

        by Anonymous Coward on Wednesday September 30 2015, @03:24PM (#243538)

        What's your IP? Let me see whether I can block you from using your computer for 12 hours...

        127.0.0.1