Table of Contents
Microsoft has recently published a study on XorDdos malware. The report alarms a drastic rise in the activities of XorDdos malware. According to the report shared by Microsoft, there has been a surge of 254% in the past six months. This shows there is a worst waiting to happen. So, it’s time to learn about the XorDdos malware, its capabilities, infection method, detection, and the most important protection tips. Since the malware targets Linux-based operating systems deployed on cloud infrastructures and Internet of Things (IoT) devices, it is important to protect your Linux infrastructure from XorDdos malware.
Let’s see how to protect your Linux infrastructure from XorDdos malware in this post.
About the XorDdos Malware:
The XorDdos malware is a type of malicious software that is designed to launch distributed denial-of-service (DDoS) attacks. The malware was first discovered in 2014 by the research group MalwareMustDie, and has since been used in a number of high-profile DDoS attacks, including against KrebsOnSecurity, OVH, and Dyn. The malware was named XorDdos as it was active in denial of service activities on Linux infrastructure with the use of XOR function for encrypted communication with its command and control servers.
XorDdos Malware’s Initial Infection Method:
XorDdos malware predominantly targets Secure Shell (SSH) logins. Since SSH is the most commonly used protocol used by administrators for remote access because it allows encrypted communications over insecure networks. XorDdos initially tries to brute force the targets to gather valid login credentials. Once it has valid SSH keys, then it runs a script with root privileges to download and install XorDdos malware on the target device.
The study report describes two of XorDdos’ methods for initial access. The first method involves copying a malicious ELF file to temporary file storage /dev/shm and then running it. Later the files written to the /dev/shm will be deleted during system restart for covert operation.
In the second access method, the malware executes a bash script that performs the below actions.
Identifies the writable directory out of this list:
/bin
/home
/root
/tmp
/usr
2. Once it identifies the writable directory, it changes to that directory and then downloads the ELF file payload from an external domain ‘hxxp://Ipv4PII_777789ffaa5b68638cdaea8ecfa10b24b326ed7d/1[.]txt‘ using curl command and saves the downloaded file as ygljglkjgfg0.
3. Then the malware makes it executable using the ‘chmod’ command and then executes it. The full technical details are published at this URL, and please visit the post for the original report.
How Can You Protect Your Linux Infrastructure From XorDdos Malware?
There are a number of steps you can take to protect your Linux infrastructure from XorDdos malware:
Block the IoCs across the network: Block all the indicators of compromise on your security defense systems like firewalls, web proxies, Endpoint solutions, network devices, and wherever it is possible to block.
Identify the infected endpoints: Query for the IoCs on your SIEM or any centralized security/log management systems across the network. Isolate or go for reimage process if you see a device associated with the identified IoCs.
Analyze Failed Logins: Since XorDdos malware primarily performs SSH brute force on Linux machines, it is good to capture all the login failed events and analyze them to locate malicious activity related to XorDdos malware.
Keep your operating system and software up to date: Make sure you are running the latest version of your operating system, as well as all security updates. This will help to ensure that your server is not vulnerable to known exploits.
Harden your server: There are a number of ways to harden your server, such as disabling unneeded services and using a firewall.
Use a DDoS protection service: A DDoS protection service can help to identify and filter out malicious traffic before it reaches your server.
Monitor your network traffic: Monitoring your network traffic can help you to identify unusual or suspicious activity.
Microsoft created a Microsoft 365 Defender query for advanced detections. Run this query in Microsoft Defender Security Center to hunt the malware:
DeviceLogonEvents
| where InitiatingProcessFileName == "sshd"
and ActionType == "LogonFailed"
| summarize count() by dayOfYear = datetime_part("dayOfYear", Timestamp)
| sort by dayOfYear
| render linechartIoCs of XorDdos Malware:
Please see the captured IoCs of XorDdos malware:
File information
| File name: | HFLgGwYfSC.elf |
| File size: | 611.22 KB (625889 bytes) |
| Classification: | DoS:Linux/Xorddos.A |
| MD5: | 2DC6225A9D104A950FB33A74DA262B93 |
| Sha1: | F05194FB2B3978611B99CFBF5E5F1DD44CD5E04B |
| Sha256: | F2DF54EB827F3C733D481EBB167A5BC77C5AE39A6BDA7F340BB23B24DC9A4432 |
| File type: | ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped |
| First submission in VT: | 2022-01-25 05:32:10 UTC |
Dropped files
| Dropped file path | File type | SHA-256 |
| /etc/init.d/HFLgGwYfSC.elf | Shell Script | 6E506F32C6FB7B5D342D1382989AB191C6F21C2D311251D8F623814F468952CF |
| /etc/cron.hourly/gcc.sh | Shell Script | CBB72E542E8F19240130FC9381C2351730D437D42926C6E68E056907C8456459 |
| /lib/libudev.so | ELF | F2DF54EB827F3C733D481EBB167A5BC77C5AE39A6BDA7F340BB23B24DC9A4432 |
| /run/gcc.pid | Text | 932FEEF3AB6FCCB3502F900619B1F87E1CB44A7ADAB48F2C927ECDD67FF6830A |
| /usr/bin/djtctpzfdq | ELF | 53F062A93CF19AEAA2F8481B32118A31B658A126624ABB8A7D82237884F0A394 |
| /usr/bin/dmpyuitfoq | ELF | 798577202477C0C233D4AF51C4D8FB2F574DDB3C9D1D90325D359A84CB1BD51C |
| /usr/bin/fdinprytpq | ELF | 2B4500987D50A24BA5C118F506F2507362D6B5C63C80B1984B4AE86641779FF3 |
| /usr/bin/jwvwvxoupv | ELF | 359C41DA1CBAE573D2C99F7DA9EEB03DF135F018F6C660B4E44FBD2B4DDECD39 |
| /usr/bin/kagbjahdic | ELF | E6C7EEE304DFC29B19012EF6D31848C0B5BB07362691E4E9633C8581F1C2D65B |
| /usr/bin/kkldnszwvq | ELF | EF0A4C12D98DC0AD4DB86AADD641389C7219F57F15642ED35B4443DAF3FF8C1E |
| /usr/bin/kndmhuqmah | ELF | B5FBA27A8E457C1AB6573C378171F057D151DC615D6A8D339195716FA9AC277A |
| /usr/bin/qkxqoelrfa | ELF | D71EA3B98286D39A711B626F687F0D3FC852C3E3A05DE3F51450FB8F7BD2B0D7 |
| /usr/bin/sykhrxsazz | ELF | 9D6F115F31EE71089CC85B18852974E349C68FAD3276145DAFD0076951F32489 |
| /usr/bin/tcnszvmpqn | ELF | 360A6258DD66A3BA595A93896D9B55D22406D02E5C02100E5A18382C54E7D5CD |
| /usr/bin/zalkpggsgh | ELF | DC2B1CEE161EBE90BE68561755D99E66F454AD80B27CEBE3D4773518AC45CBB7 |
| /usr/bin/zvcarxfquk | ELF | 175667933088FBEBCB62C8450993422CCC876495299173C646779A9E67501FF4 |
| /tmp/bin/3200 | ELF(rootkit) | C8F761D3EF7CD16EBE41042A0DAF901C2FDFFCE96C8E9E1FA0D422C6E31332EA |
Download URLs
www[.]enoan2107[.]com:3306
www[.]gzcfr5axf6[.]com:3306
hxxp://aa[.]hostasa[.]org/config.rar
Conclusion
XorDdos is a malware that allows attackers to launch distributed denial of service (DDoS) attacks. In order to protect your Linux infrastructure from XorDdos malware, you should keep your operating system and software up to date, harden your server, use a DDoS protection service, and monitor your network traffic.
We hope this post would help you know how to protect your Linux infrastructure from XorDdos malware. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
