Security researchers have uncovered a network of infected Linux computers that's flooding gaming and education sites with as much as 150 gigabits per second of malicious traffic—enough in some cases to take the targets completely offline.
The XOR DDoS or Xor.DDoS botnet, as the distributed denial-of-service network has been dubbed, targets as many as 20 sites each day, according to an advisory published Tuesday by content delivery network Akamai Technologies. About 90 percent of the targets are located in Asia. In some cases, the IP address of the participating bot is spoofed in a way that makes the compromised machines appear to be part of the network being targeted. That technique can make it harder for defenders to stop the attack.
"In short: Xor.DDoS is a multi-platform, polymorphic malware for Linux OS, and its ultimate goal is to DDoS other machines," a separate writeup on the botnet explained. "The name Xor.DDoS stems from the heavy usage of XOR encryption in both malware and network communication to the C&Cs (command and control servers)."
XOR DDoS takes hold by cracking weak passwords used to protect the command shell of Linux computers. Once the attackers have logged in, they use root privileges to run a script that downloads and executes a malicious binary file. There's no evidence XOR DDoS infects computers by exploiting vulnerabilities in the Linux operating system itself. Akamai's advisory has intrusion-prevention-system signatures for detecting infections and instructions for removing the malware.
"Over the past year, the XOR DDoS botnet has grown and is now capable of being used to launch huge DDoS attacks," Stuart Scholly, senior vice president and general manager of Akamai's Security Business Unit, said in a statement. "XOR DDoS is an example of attackers switching focus and building botnets using compromised Linux systems to launch DDoS attacks. This happens much more frequently now than in the past, when Windows machines were the primary targets for DDoS malware."
(Score: 1, Insightful) by Anonymous Coward on Wednesday September 30 2015, @06:50AM
The best operating system doesn't help against insecure passwords.
(Score: 3, Funny) by pkrasimirov on Wednesday September 30 2015, @07:01AM
"I'm sorry, Dave. I'm afraid I can't do that."
(Score: 0) by Anonymous Coward on Wednesday September 30 2015, @07:10AM
OpenSSH comes with password authentication turned off by default, so unless an OS goes out of the way to be INsecure, it will help against insecure passwords.
(Score: 1) by canopic jug on Wednesday September 30 2015, @07:53AM
Only for root. See rev. 1.96 [openbsd.org] of the sshd configuration file. You'd have to make that change yourself to cover the regular accounts, too.
But a lame root password is apparently the main way in [blogspot.com].
Money is not free speech. Elections should not be auctions.
(Score: 3, Informative) by TheLink on Wednesday September 30 2015, @09:28AM
I would think that normal user privileges are enough to do most botnet stuff.
User level "crontab" and "at" to hook itself in more securely. For bonus points[1] change the path and some command shell aliases (like ls, sudo).
User level network access is enough to DDoS and get new commands.
user level process is enough to do bitcoin etc mining.
So a mere drive by browser exploit could install such a malware. Unless of course the browser is sandboxed properly. But are the default sandboxes for browsers on linux distros good enough to prevent this? When I checked Ubuntu years ago the default apparmor sandbox for Firefox wasn't that secure - the browser could still access quite a lot.
[1] For even more bonus points fix set, top, ps, sha1sum etc to make it hard to detect the malware.
(Score: 2) by cykros on Wednesday September 30 2015, @01:00PM
I think that while you can do a lot with a normal user, root is a user that can usually safely be assumed to exist on just about all systems, without needing to use another method to enumerate users on a machine. With enough machines with weak root passwords (and remote access), there's not sufficient reason to expend the energy going after the rest if all you're trying to do is make a moderate sized botnet for DDoS attacks.
(Score: 0) by Anonymous Coward on Wednesday September 30 2015, @01:15PM
As soon as you're running on a machine, regardless of user, you know that your account exists... Which account is this you ask? How about $USER (or %USERNAME% on Window).
Environment variables are a great thing...
(Score: 2, Funny) by Anonymous Coward on Wednesday September 30 2015, @09:55AM
That's why I upgraded to Windows 10.
(Score: 0) by Anonymous Coward on Wednesday September 30 2015, @09:57AM
How about if users had two passwords?
For the user it is an additional inconvienience of having to remember two passwords.
For an attacker it increases the length of time required to guess a password exponentially.
Also, systems should add a 1 second delay per password failure increasing by 1 second per failure.
Pity these systems did not silently disable the account for 12 hours after 10 failures.
(Score: 0) by Anonymous Coward on Wednesday September 30 2015, @01:17PM
What's your IP? Let me see whether I can block you from using your computer for 12 hours...
And *that* is why systems don't do that...
(Score: 0) by Anonymous Coward on Wednesday September 30 2015, @03:24PM
What's your IP? Let me see whether I can block you from using your computer for 12 hours...
127.0.0.1