Xor DDoS

{{Short description|Linux trojan malware with rootkit capabilities}}

{{use mdy dates|date=February 2024}}

XOR DDoS is a Linux Trojan malware with rootkit capabilities that was used to launch large-scale DDoS attacks. Its name stems from the heavy usage of XOR encryption in both malware and network communication to the C&Cs. It is built for multiple Linux architectures like ARM, x86 and x64. Noteworthy about XOR DDoS is the ability to hide itself with an embedded rootkit component which is obtained by multiple installation steps.{{cite web|url=https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit|title=Linux DDoS Trojan hiding itself with an embedded rootkit|publisher=Avast|date=2015-01-06 |access-date=2019-09-07}} It was discovered in September 2014 by MalwareMustDie, a white hat malware research group.{{cite web|url=http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html|title=MMD-0028-2014 - Linux/XOR.DDoS : Fuzzy reversing a new China ELF|publisher=Malware Must Die!|access-date=2019-09-07}}{{cite web | url=https://www.pcworld.com/article/2881152/ddos-malware-for-linux-systems-comes-with-sophisticated-custombuilt-rootkit.html | title=Sneaky Linux malware comes with sophisticated custom-built rootkit | publisher=PCWorld (From IDG) | date=February 6, 2015 | access-date=February 6, 2015 | first=Lucian |last=Constantin }}{{cite web | url=https://news.softpedia.com/news/xor-ddos-botnet-uses-compromised-linux-machines-to-launch-150-plus-gbps-attacks-493139.shtml | title=XOR DDoS Botnet Uses Compromised Linux Machines to Launch 150+ Gbps Attacks | publisher=Softpedia News | date=September 29, 2015 | access-date=September 29, 2015 | first=Catalin |last=Cimpanu }} From November 2014 it was involved in massive brute force campaign that lasted at least for three months.{{cite web|url=https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html|archive-url=https://web.archive.org/web/20150318164748/https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html |archive-date=2015-03-18 |url-status=dead|title=Anatomy of a Brute Force Campaign: The Story of Hee Thai Limited |website=Threat Research Blog |publisher=FireEye |access-date=2016-03-18}}

In order to gain access it launches a brute force attack in order to discover the password to Secure Shell services on Linux.{{cite web|url=http://thehackernews.com/2015/09/xor-ddos-attack.html|title=New Botnet Hunts for Linux — Launching 20 DDoS Attacks/Day at 150Gbps|publisher=thehackernews.com|access-date=2016-03-18}}

Once Secure Shell credentials are acquired and login is successful, it uses root privileges to run a script that downloads and installs XOR DDoS.{{cite press release|url=https://www.reuters.com/article/akamai-ddos-advisory-idUSnPn5TLPMJ+9f+PRN20150929|archive-url=https://web.archive.org/web/20160318142501/http://www.reuters.com/article/akamai-ddos-advisory-idUSnPn5TLPMJ+9f+PRN20150929|url-status=dead|archive-date=2016-03-18|title=XOR DDoS Botnet Launching 20 Attacks a Day From Compromised Linux Machines, Says Akamai|publisher=Reuters|access-date=2016-03-18|location=Cambridge, MA}}

It is believed to be of Asian origin based on its targets, which tend to be located in Asia.{{cite web|url=https://www.stateoftheinternet.com/resources-web-security-threat-advisories-2015-xor-ddos-attacks-linux-botnet-malware-removal-ddos-mitigation-yara-snort.html|title=Threat Advisory: XOR DDoS {{pipe}} DDoS mitigation, YARA, Snort|publisher=stateoftheinternet.com|access-date=2016-03-18|archive-date=2021-03-23|archive-url=https://web.archive.org/web/20210323185249/https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/fast-dns-xor-botnet-case-study.pdf}}