Akamai Diversity

The Akamai Blog

XOR DDoS Threat Advisory

By Bill Brenner, Akamai SIRT Senior Tech Writer


Akamai's Security Intelligence Response Team (SIRT) is tracking XOR DDoS, a Trojan malware attackers are using to hijack Linux machines to include within a botnet for distributed denial of service (DDoS) campaigns. To date, the bandwidth of DDoS attacks coming from the XOR DDoS botnet has ranged from a few gigabits per second (Gbps) to 150+ Gbps. The gaming sector is the primary target, followed by educational institutions. Akamai SIRT released a threat advisory this morning authored by Security Response Engineer Tsvetelin "Vincent" Choranov.

The botnet is attacking up to 20 targets per day, 90% of which are in Asia. Akamai mitigated two DDoS attacks orchestrated by the XOR DDoS botnet on the weekend of Aug. 22. One of the attacks measured nearly 50 Gbps, and the other was almost 100 Gbps.

XOR DDoS is an example of attackers building botnets from Linux systems instead of Windows-based machines.


Other recent examples of Linux-based malware include the Spike DDoS toolkit (which also targeted Windows machines) and IptabLes and IptabLex malware. There are an increasing number of Linux vulnerabilities for malicious actors to target, such as the heap-based buffer overflow vulnerability found earlier this year in the GNU C library. However, XOR DDoS itself does not exploit a specific vulnerability.

XOR DDoS has captured the attention of technology news outlets, including SC Magazine, which describes attacks that alter installations based on the victim's Linux environment. A rootkit is also deployed to cloak the main attack. The Avast blog has also focused on XOR DDoS attacks.

SIRT's research indicates the malware is of Asian origin, based on the command-and- control (C2) IP addresses and source IP addresses of the attack payloads.


The malware does not spread via a host vulnerability. Rather, it populates via Secure Shell (SSH) services that are susceptible to brute-force attacks due to weak passwords.


Once login credentials have been acquired, the attackers uses root privileges to run a Bash shell script that downloads and executes the malicious binary.


The full advisory is available at http://www.stateoftheinternet.com/xorddos.


Leave a comment