XORDDoS, also known as XOR.DDoS, first appeared in the threat landscape in 2014 it is a Linux Botnet that was employed in attacks against gaming and education websites with massive DDoS attacks that reached 150 gigabytes per second of malicious traffic.
According to the experts, both threats are linked to China, the variants recently spotted by Trend Micro has recently also targeted Docker servers.
“We have recently detected variants of two existing Linux botnet malware types targeting exposed Docker servers; these are XORDDoS malware (detected by Trend Micro as Backdoor.Linux.XORDDOS.AE) and Kaiji DDoS malware (detected by Trend Micro as DDoS.Linux.KAIJI.A).” reads the analysis published by Trend Micro.
Botnet operators are looking for Docker servers that expose port 2375, which is one of the two ports of the Docker API and it’s used for unauthenticated and unencrypted communications.
Experts pointed out that there is a notable difference between the attack methods implemented by the two malware variants. While the XORDDoS bot infects all the containers hosted on the Docker server, the Kaiji bot deploys the DDoS malware in its own container.
Upon compromising a Docker server, XORDDoS will run a sequence of commands to identify containers and infect them with the DDoS malware. The malware can also gather information about the compromised system, and it can download and execute other payloads.
While investigating the URL linked to the attacker, experts discovered other malware such as Backdoor.Linux.DOFLOO.AB targeting Docker containers.
Operators of the Kaiji bot scan the web for exposed Docker servers and deploy an ARM container that executed its binary. Researchers discovered that operators leverage on a script to download and execute the main payload, and to remove Linux binaries that are basic components of the operating system but are not necessary for its DDoS operation.
Kaiji is also able to collect information about the compromised system, and of course to launch various types of DDoS attacks, including ACK, IPS spoof, SSH, SYN, SYNACK, TCP and UDP attacks.
Trend Micro provides the following recommendations for security Docker servers:
(SecurityAffairs – hacking, Docker)