Akamai: XOR DDoS Botnet Launching 20 Attacks a Day From Compromised Linux Machines
Akamai Technologies, Inc. (NASDAQ: AKAM), the global leader in content delivery network (CDN) services, published a new cybersecurity threat advisory from the company’s Security Intelligence Response Team (SIRT).
Attackers have developed a botnet capable of 150+ gigabit-per-second (Gbps) distributed denial of service (DDoS) attack campaigns using XOR DDoS, a Trojan malware used to hijack Linux systems. The advisory detailing this threat in full, including DDoS mitigation payload analysis and malware removal information, is available for download here at http://www.stateoftheinternet.com/xorddos.
What is XOR DDoS?
XOR DDoS is a Trojan malware that infects Linux systems, instructing them to launch DDoS attacks on demand by a remote attacker. Initially, attackers gain access by brute force attacks to discover the password to Secure Shell services on a Linux machine. Once login has been acquired, the attackers use root privileges to run a Bash shell script that downloads and executes the malicious binary.
“Over the past year, the XOR DDoS botnet has grown and is now capable of being used to launch huge DDoS attacks,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “XOR DDoS is an example of attackers switching focus and building botnets using compromised Linux systems to launch DDoS attacks. This happens much more frequently now than in the past, when Windows machines were the primary targets for DDoS malware.”
XOR DDoS Denial of Service Attacks
Akamai SIRT’s research showed that the bandwidth of DDoS attacks coming from the XOR DDoS botnet ranged from low, single-digit Gbps to 150+ Gbps – an extremely large attack size. The most frequent target was the gaming sector, followed by educational institutions. The botnet attacks up to 20 targets per day, 90% of which were in Asia. Of the DDoS attacks from the XOR DDoS botnet Akamai has mitigated, several examples documented on August 22-23 are profiled in the threat advisory. One of the attacks was nearly 179 Gbps, and the other was almost 109 Gbps. Two attack vectors were observed: SYN and DNS floods.
The IP address of the bot is sometimes spoofed, but not always. The attacks observed in the DDoS campaigns against Akamai customers were a mix of spoofed and non-spoofed attack traffic. Spoofed IP addresses are generated such that they appear to come from the same /24 or /16 address space as the infected host. A spoofing technique where only the third or fourth octet of the IP address is altered is used to prevent Internet Service Providers (ISPs) from blocking the spoofed traffic on Unicast Reverse Path Forwarding (uRPF)-protected networks.
DDoS mitigation of XOR DDoS attacks
Identifiable static characteristics were observed, including initial TTL value, TCP window size, and TCP header options. Payload signatures such as these can aid in DDoS mitigation. These are available in the threat advisory. In addition, tcpdump filters are provided to match SYN flood attack traffic generated by this botnet.
How to detect and remove XOR DDoS malware
The presence of XOR DDoS can be detected in two ways. To detect this botnet in a network, look for communications between a bot and its C2 using a Snort rule provided in the advisory. To detect infection of this malware on a Linux host, the advisory includes a YARA rule that pattern matches strings observed in the binary.
XOR DDoS is persistent – it runs processes that will reinstall the malicious files if they are deleted. Therefore removing the XOR DDoS malware is a four-step process for which several scripts are provided in the advisory:
- Identify the malicious files in two directories.
- Identify the processes that promote persistence of the main process.
- Kill the malicious processes.
- Delete the malicious files.
Akamai continues to monitor ongoing campaigns using XOR DDoS to launch DDoS attacks. To learn more about the threat, malware removal and DDoS mitigation techniques, please download a complimentary copy of the threat advisory at www.stateoftheinternet.com/xorddos.
About Akamai Security Intelligence Response Team (SIRT)
Focused on mitigating malicious global cyber threats and vulnerabilities, the Akamai Security Intelligence Response Team (SIRT) conducts and shares digital forensics and post-event analysis with the security community to proactively protect against threats and attacks. As part of its mission, the Akamai SIRT maintains close contact with peer organizations around the world and trains Akamai’s Professional Services and Customer Care teams to both recognize and counter attacks from a wide range of adversaries. The research performed by the Akamai SIRT helps to ensure Akamai’s cloud security products are best of breed and can protect against any of the latest application layer threats impacting the industry.
As the global leader in Content Delivery Network (CDN) services, Akamai makes the Internet fast, reliable and secure for its customers. The company’s advanced web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for any device, anywhere. To learn how Akamai solutions and its team of Internet experts are helping businesses move faster forward, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.