Pierluigi Paganini January 09, 2015

Security experts at Avast have analyzed a new strain of DDoS trojan targeting Linux operating system dubbed XOR.DDoS which embeds a RootKit component.

Security experts at Avast have identified a new strain of Linux DDoS Trojan with a built-in rootkit. Researchers suspect that a threat actor is recruiting a large number bots that could be leveraged for DDoS attacks.

The XOR.DDoS malware was first reported by the MalwareMustDie! in September 2014, it is considered by experts unique because it has the ability to modify its structures depending on the targeted Linux operating system.

“The infection starts by an attempt to brute force SSH login credentials of the root user. If successful, attackers gain access to the compromised machine, then install the Trojan usually via a shell script.” wrote the Avast researcher Peter Kálnai. “The script contains procedures like main, check, compiler, uncompress, setup, generate, upload, checkbuild, etc. and variables like __host_32__, __host_64__, __kernel__, __remote__, etc. The main procedure decrypts and selects the C&C server based on the architecture of the system.”

The attackers tried to exploit the wrong habit of Linux users to use default logins for services exposed on the web, in the specific case the SSH. Once the XOR.DDoS has infected a Linux machine, the rootkit hides its components (files and processes) to avoid the detection.

“Also we have to note that there is a variant of this Trojan compiled for the ARM architecture,” Kálnai added. “This suggests that the list of potentially infected systems (besides 32-bit and 64-bit Linux web servers and desktops) is extended for routers, Internet of Things devices, NAS storages or 32-bit ARM servers (however, it has not been observed in the wild yet).”

Malware authors are developing a growing number of malware that target Linux-based systems, new strains of malware are specifically designed to compromise Internet of Things devices.

Experts detected also for the XOR.DDoS malware a variant compiled for the ARM architecture.

“Also we have to note that there is a variant of this Trojan compiled for the ARM architecture. This suggests that the list of potentially infected systems (besides 32-bit and 64-bit Linux web servers and desktops) is extended for routers, Internet of Things devices, NAS storages or 32-bit ARM servers (however, it has not been observed in the wild yet). It contains an additional implementation of the download-and-execute feature in an infinite loop called daemondown”

Another interesting aspect of the XOR.DDoS is the implementation of the control infrastructure and the process to manage the botnet. The expert noticed that the communication between bots and C&C is encrypted in both directions with the same hard-coded XOR key (BB2FA36AAA9541F0) as the configuration file.

“The list of C&Cs is stored in the shell script in the __remote__ variable. The Trojan first sends information about the running system to the C&C server (very likely to be displayed on a panel of a botnet operator). The replies usually arrived in a form of a command.” states the post.

Pierluigi Paganini

(Security Affairs –  Linux Rootkit,XOR.DDoS )