Table of Contents
  • Home
  • /
  • Blog
  • /
  • How Can You Protect Your Linux Infrastructure From XorDdos Malware
May 24, 2022

How Can You Protect Your Linux Infrastructure From XorDdos Malware

How Can You Protect Your Linux Infrastructure From Xorddos Malware

Microsoft has recently published a study on XorDdos malware. The report alarms a drastic rise in the activities of XorDdos malware. According to the report shared by Microsoft, there has been a surge of 254% in the past six months. This shows there is a worst waiting to happen. So, its time to learn about the XorDdos malware, its capabilities, infection method, detection, and the most important protection tips. Since the malware targets Linux-based operating systems deployed on cloud infrastructures and Internet of Things (IoT) devices, it is important to protect your Linux infrastructure from XorDdos malware.

Lets see how to protect your Linux infrastructure from XorDdos malware in this post.

About the XorDdos Malware:

The XorDdos malware is a type of malicious software that is designed to launch distributed denial-of-service (DDoS) attacks. The malware was first discovered in 2014 by the research group MalwareMustDie, and has since been used in a number of high-profile DDoS attacks, including against KrebsOnSecurity, OVH, and Dyn. The malware was named XorDdos as it was active in denial of service activities on Linux infrastructure with the use of XOR function for encrypted communication with its command and control servers.

XorDdos Malware’s Initial Infection Method:

XorDdos malware predominantly targets Secure Shell (SSH) logins. Since SSH is the most commonly used protocol used by administrators for remote access because it allows encrypted communications over insecure networks. XorDdos initially tries to brute force the targets to gather valid login credentials. Once it has valid SSH keys, then it runs a script with root privileges to download and install XorDdos malware on the target device.

The study report describes two of XorDdos methods for initial access. The first method involves copying a malicious ELF file to temporary file storage /dev/shm and then running it. Later the files written to the /dev/shm will be deleted during system restart for covert operation.

In the second access method, the malware executes a bash script that performs the below actions.

  1. Identifies the writable directory out of this list:

  • /bin

  • /home

  • /root

  • /tmp

  • /usr

2. Once it identifies the writable directory, it changes to that directory and then downloads the ELF file payload from an external domain hxxp://Ipv4PII_777789ffaa5b68638cdaea8ecfa10b24b326ed7d/1[.]txt using curl command and saves the downloaded file as ygljglkjgfg0.

3. Then the malware makes it executable using the chmod command and then executes it. The full technical details are published at this URL, and please visit the post for the original report.

How Can You Protect Your Linux Infrastructure From XorDdos Malware?

There are a number of steps you can take to protect your Linux infrastructure from XorDdos malware:

  1. Block the IoCs across the network: Block all the indicators of compromise on your security defense systems like firewalls, web proxies, Endpoint solutions, network devices, and wherever it is possible to block.

  2. Identify the infected endpoints: Query for the IoCs on your SIEM or any centralized security/log management systems across the network. Isolate or go for reimage process if you see a device associated with the identified IoCs.

  3. Analyze Failed Logins: Since XorDdos malware primarily performs SSH brute force on Linux machines, it is good to capture all the login failed events and analyze them to locate malicious activity related to XorDdos malware.

  4. Keep your operating system and software up to date: Make sure you are running the latest version of your operating system, as well as all security updates. This will help to ensure that your server is not vulnerable to known exploits.

  5. Harden your server: There are a number of ways to harden your server, such as disabling unneeded services and using a firewall.

  6. Use a DDoS protection service: A DDoS protection service can help to identify and filter out malicious traffic before it reaches your server.

  7. Monitor your network traffic: Monitoring your network traffic can help you to identify unusual or suspicious activity.

Microsoft created a Microsoft 365 Defender query for advanced detections. Run this query in Microsoft Defender Security Center to hunt the malware:

| where InitiatingProcessFileName == "sshd"
    and ActionType == "LogonFailed"
| summarize count() by dayOfYear = datetime_part("dayOfYear", Timestamp)
| sort by dayOfYear
| render linechart

IoCs of XorDdos Malware:

Please see the captured IoCs of XorDdos malware:

File information

File name:HFLgGwYfSC.elf
File size:611.22 KB (625889 bytes)
File type:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped
First submission in VT:2022-01-25 05:32:10 UTC

Dropped files

Dropped file pathFile typeSHA-256
/etc/init.d/HFLgGwYfSC.elfShell Script6E506F32C6FB7B5D342D1382989AB191C6F21C2D311251D8F623814F468952CF
/etc/cron.hourly/gcc.shShell ScriptCBB72E542E8F19240130FC9381C2351730D437D42926C6E68E056907C8456459

Download URLs

  • www[.]enoan2107[.]com:3306

  • www[.]gzcfr5axf6[.]com:3306

  • hxxp://aa[.]hostasa[.]org/config.rar


XorDdos is a malware that allows attackers to launch distributed denial of service (DDoS) attacks. In order to protect your Linux infrastructure from XorDdos malware, you should keep your operating system and software up to date, harden your server, use a DDoS protection service, and monitor your network traffic.

We hope this post would help you know how to protect your Linux infrastructure from XorDdos malware. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription