Linux Botnet Discovered Launching 150Gbps DDoS Attacks

A security firm has discovered a Linux botnet that can launch distributed denial-of-service (DDoS) attacks at over 150 Gbps against at least 20 targets every day.

Threat actors operating at an advanced stage have the means to leverage a botnet comprising of compromised Linus machines to launch powerful DDoS attacks at a staggering 150 Gbps, many times over the withstanding security capabilities of most companys. The findings were revealed by the Security Intelligence Response Team at Akamai.

The full security advisory can be downloaded here (.pdf).

“A decade ago, Linux was seen as the more secure alternative to Windows environments, which suffered the lion’s share of attacks at the time, and companies increasingly adopted Linux as part of their security-hardening efforts,” the Akamai team said.

Dubbed XOR DDoS, the Trojan infecting the army of Linux machines was originally identified in 2014. The Trojan has capabilities to modify its installation dependant on the Linux environment it’s targeting and can also employ a toolkit to avoid detection.

Malicious operators user XOR DDoS routinely use XOR DDoS to infect:

  • Linux systems
  • Wi-Fi routers and other embedded devices.
  • Network-attached storage devices using brute-force attacks.

Akamai’s Security Intelligence Response Team has noticed several DDoS attacks, both SYN and DNS floods that varied between a few Gbps up to nearly 180 Gbps.

While most of the targets are based in Asia, Tsvetelin Choranov, a member of the response team at Akamai told SCMagazine that several U.S. entities have also been targeted.

“The target industries confirmed from our standpoint are online gaming and education,” Choranov pointed out.

“We don’t have a defined number of systems infected by this malware. Some of the source IPs that we are seeing actively producing malicious traffic have spoofing capabilities.”

Linux systems are frequently targeted by malware such as XOR DDoS, with older routers frequently vulnerable to such attacks.

Unlike most malware, however, XOR DDoS uses Secure Shell services (SSH) rather than actively exploiting vulnerabilities. Using brute-force techniques against weak passwords, attackers routinely gain root privileges using login credentials “to run a Bash shell script that downloads and executes the malicious binary,” the advisory read.

“As the number of Linux environments has grown, the potential opportunity and rewards for criminals has also grown. Attackers will continue to evolve their tactics and tools and security professionals should continue to harden their Linux based systems accordingly.”