Microsoft sees rise in Linux trojan XorDdos's activity: Details Inside

XorDdos, a stealthy distributed denial-of-service (DDoS) malware targeting Linux devices, has been growing significantly in the last six months, with Microsoft reporting a 254% increase in its activity.

The XorDdos trojan was first discovered in 2014 by the research group MalwareMustDie. According to Microsoft 365 Defender Research Team, it depicts the trend of malware increasingly targeting Linux-based operating systems, which are commonly deployed on cloud infrastructures and Internet of Things (IoT) devices. 

In the last 6 months, we observed a 254% increase in activity from a Linux trojan called XorDdos, which propagates via SSH brute force attacks to gain remote control of devices, amassing botnets to perform DDoS attacks. Read our in-depth analysis: https://t.co/YYW41CN63W

— Microsoft Security Intelligence (@MsftSecIntel) May 19, 2022

By compromising IoT and other internet-connected devices, XorDdos amasses botnets that can be used to carry out DDoS attacks. The malware uses Secure Shell (SSH) brute force attacks to gain remote control on target devices. Once XorDdos identifies valid SSH credentials, it uses root privileges to run a script that downloads and installs XorDdos on the target device.

The stealthy DDoS malware enables adversaries to create potentially significant disruptions on target systems. It may be used to bring in other dangerous threats or to provide a vector for follow-on activities.

Microsoft found that devices first infected with XorDdos were later infected with additional malware such as the Tsunami backdoor, which further deploys the XMRig coin miner.

"While we did not observe XorDdos directly installing and distributing secondary payloads like Tsunami, it’s possible that the trojan is leveraged as a vector for follow-on activities," Microsoft wrote in a blog post detailing its in-depth analysis of XorDdos.

The XorDdos payload the research team analyzed is a 32-bit ELF file that was not stripped - it contained debug symbols that detailed the malware’s dedicated code for each of its activities. Microsoft says the inclusion of debug symbols makes it easier to debug and reverse engineer non-stripped binaries, as compared to stripped binaries that discard these symbols.

"XorDdos and other threats targeting Linux devices emphasize how crucial it is to have security solutions with comprehensive capabilities and complete visibility spanning numerous distributions of Linux operating systems," Microsoft said.

More details can be found here.