XORDDoS, also known as XOR.DDoS, first appeared in the threat landscape in 2014 it is a Linux Botnet that was employed in attacks against gaming and education websites with massive DDoS attacks that reached 150 gigabytes per second of malicious traffic.
According to the experts, both threats are linked to China, the variants recently spotted by Trend Micro has recently also targeted Docker servers.
“We have recently detected variants of two existing Linux botnet malware types targeting exposed Docker servers; these are XORDDoS malware (detected by Trend Micro as Backdoor.Linux.XORDDOS.AE) and Kaiji DDoS malware (detected by Trend Micro as DDoS.Linux.KAIJI.A).” reads the analysis published by Trend Micro.
Botnet operators are looking for Docker servers that expose port 2375, which is one of the two ports of the Docker API and it’s used for unauthenticated and unencrypted communications.
Experts pointed out that there is a notable difference between the attack methods implemented by the two malware variants. While the XORDDoS bot infects all the containers hosted on the Docker server, the Kaiji bot deploys the DDoS malware in its own container.
Upon compromising a Docker server, XORDDoS will run a sequence of commands to identify containers and infect them with the DDoS malware. The malware can also gather information about the compromised system, and it can download and execute other payloads.
While investigating the URL linked to the attacker, experts discovered other malware such as Backdoor.Linux.DOFLOO.AB targeting Docker containers.
Operators of the Kaiji bot scan the web for exposed Docker servers and deploy an ARM container that executed its binary. Researchers discovered that operators leverage on a script to download and execute the main payload, and to remove Linux binaries that are basic components of the operating system but are not necessary for its DDoS operation.
Kaiji is also able to collect information about the compromised system, and of course to launch various types of DDoS attacks, including ACK, IPS spoof, SSH, SYN, SYNACK, TCP and UDP attacks.
Trend Micro provides the following recommendations for security Docker servers:
(SecurityAffairs – hacking, Docker)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.