• Home
  • |
  • Blog
  • |
  • How Can You Protect Your Linux Infrastructure From XorDdos Malware
How Can You Protect Your Linux Infrastructure from XorDdos Malware

Microsoft has recently published a study on XorDdos malware. The report alarms a drastic rise in the activities of XorDdos malware. According to the report shared by Microsoft, there has been a surge of 254% in the past six months. This shows there is a worst waiting to happen. So, it’s time to learn about the XorDdos malware, its capabilities, infection method, detection, and the most important protection tips. Since the malware targets Linux-based operating systems deployed on cloud infrastructures and Internet of Things (IoT) devices, it is important to protect your Linux infrastructure from XorDdos malware.

Let’s see how to protect your Linux infrastructure from XorDdos malware in this post.

About The XorDdos Malware:

The XorDdos malware is a type of malicious software that is designed to launch distributed denial-of-service (DDoS) attacks. The malware was first discovered in 2014 by the research group MalwareMustDie, and has since been used in a number of high-profile DDoS attacks, including against KrebsOnSecurity, OVH, and Dyn. The malware was named XorDdos as it was active in denial of service activities on Linux infrastructure with the use of XOR function for encrypted communication with its command and control servers.

XorDdos Malware’s Initial Infection Method:

XorDdos malware predominantly targets Secure Shell (SSH) logins. Since SSH is the most commonly used protocol used by administrators for remote access because it allows encrypted communications over insecure networks. XorDdos initially tries to brute force the targets to gather valid login credentials. Once it has valid SSH keys, then it runs a script with root privileges to download and install XorDdos malware on the target device.

The study report describes two of XorDdos’ methods for initial access. The first method involves copying a malicious ELF file to temporary file storage /dev/shm and then running it. Later the files written to the /dev/shm will be deleted during system restart for covert operation.

In the second access method, the malware executes a bash script that performs the below actions.

  1. Identifies the writable directory out of this list:
  • /bin
  • /home
  • /root
  • /tmp
  • /usr

2. Once it identifies the writable directory, it changes to that directory and then downloads the ELF file payload from an external domain ‘hxxp://Ipv4PII_777789ffaa5b68638cdaea8ecfa10b24b326ed7d/1[.]txt‘ using curl command and saves the downloaded file as ygljglkjgfg0.

3. Then the malware makes it executable using the ‘chmod’ command and then executes it. The full technical details are published at this URL, and please visit the post for the original report.

How Can You Protect Your Linux Infrastructure From XorDdos Malware?

There are a number of steps you can take to protect your Linux infrastructure from XorDdos malware:

  1. Block the IoCs across the network: Block all the indicators of compromise on your security defense systems like firewalls, web proxies, Endpoint solutions, network devices, and wherever it is possible to block.
  2. Identify the infected endpoints: Query for the IoCs on your SIEM or any centralized security/log management systems across the network. Isolate or go for reimage process if you see a device associated with the identified IoCs.
  3. Analyze Failed Logins: Since XorDdos malware primarily performs SSH brute force on Linux machines, it is good to capture all the login failed events and analyze them to locate malicious activity related to XorDdos malware.
  4. Keep your operating system and software up to date: Make sure you are running the latest version of your operating system, as well as all security updates. This will help to ensure that your server is not vulnerable to known exploits.
  5. Harden your server: There are a number of ways to harden your server, such as disabling unneeded services and using a firewall.
  6. Use a DDoS protection service: A DDoS protection service can help to identify and filter out malicious traffic before it reaches your server.
  7. Monitor your network traffic: Monitoring your network traffic can help you to identify unusual or suspicious activity.

Microsoft created a Microsoft 365 Defender query for advanced detections. Run this query in Microsoft Defender Security Center to hunt the malware:

DeviceLogonEvents
| where InitiatingProcessFileName == "sshd"
    and ActionType == "LogonFailed"
| summarize count() by dayOfYear = datetime_part("dayOfYear", Timestamp)
| sort by dayOfYear
| render linechart

IoCs Of XorDdos Malware:

Please see the captured IoCs of XorDdos malware:

File information

File name:HFLgGwYfSC.elf
File size:611.22 KB (625889 bytes)
Classification:DoS:Linux/Xorddos.A
MD5:2DC6225A9D104A950FB33A74DA262B93
Sha1:F05194FB2B3978611B99CFBF5E5F1DD44CD5E04B
Sha256:F2DF54EB827F3C733D481EBB167A5BC77C5AE39A6BDA7F340BB23B24DC9A4432
File type:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped
First submission in VT:2022-01-25 05:32:10 UTC

Dropped files

Dropped file pathFile typeSHA-256
/etc/init.d/HFLgGwYfSC.elfShell Script6E506F32C6FB7B5D342D1382989AB191C6F21C2D311251D8F623814F468952CF
/etc/cron.hourly/gcc.shShell ScriptCBB72E542E8F19240130FC9381C2351730D437D42926C6E68E056907C8456459
/lib/libudev.soELFF2DF54EB827F3C733D481EBB167A5BC77C5AE39A6BDA7F340BB23B24DC9A4432
/run/gcc.pidText932FEEF3AB6FCCB3502F900619B1F87E1CB44A7ADAB48F2C927ECDD67FF6830A
/usr/bin/djtctpzfdqELF53F062A93CF19AEAA2F8481B32118A31B658A126624ABB8A7D82237884F0A394
/usr/bin/dmpyuitfoqELF798577202477C0C233D4AF51C4D8FB2F574DDB3C9D1D90325D359A84CB1BD51C
/usr/bin/fdinprytpqELF2B4500987D50A24BA5C118F506F2507362D6B5C63C80B1984B4AE86641779FF3
/usr/bin/jwvwvxoupvELF359C41DA1CBAE573D2C99F7DA9EEB03DF135F018F6C660B4E44FBD2B4DDECD39
/usr/bin/kagbjahdicELFE6C7EEE304DFC29B19012EF6D31848C0B5BB07362691E4E9633C8581F1C2D65B
/usr/bin/kkldnszwvqELFEF0A4C12D98DC0AD4DB86AADD641389C7219F57F15642ED35B4443DAF3FF8C1E
/usr/bin/kndmhuqmahELFB5FBA27A8E457C1AB6573C378171F057D151DC615D6A8D339195716FA9AC277A
/usr/bin/qkxqoelrfaELFD71EA3B98286D39A711B626F687F0D3FC852C3E3A05DE3F51450FB8F7BD2B0D7
/usr/bin/sykhrxsazzELF9D6F115F31EE71089CC85B18852974E349C68FAD3276145DAFD0076951F32489
/usr/bin/tcnszvmpqnELF360A6258DD66A3BA595A93896D9B55D22406D02E5C02100E5A18382C54E7D5CD
/usr/bin/zalkpggsghELFDC2B1CEE161EBE90BE68561755D99E66F454AD80B27CEBE3D4773518AC45CBB7
/usr/bin/zvcarxfqukELF175667933088FBEBCB62C8450993422CCC876495299173C646779A9E67501FF4
/tmp/bin/3200ELF(rootkit)C8F761D3EF7CD16EBE41042A0DAF901C2FDFFCE96C8E9E1FA0D422C6E31332EA

Download URLs

  • www[.]enoan2107[.]com:3306
  • www[.]gzcfr5axf6[.]com:3306
  • hxxp://aa[.]hostasa[.]org/config.rar

Conclusion

XorDdos is a malware that allows attackers to launch distributed denial of service (DDoS) attacks. In order to protect your Linux infrastructure from XorDdos malware, you should keep your operating system and software up to date, harden your server, use a DDoS protection service, and monitor your network traffic.

We hope this post will help you know how to protect your Linux infrastructure from XorDdos malware. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

To know more about me. Follow me on LinkedIn
Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.