A Linux botnet has grown so powerful that it can generate crippling distributed denial-of-service attacks at over 150 Gbps, many times greater than a typical company's infrastructure can withstand.
The malware behind the botnet is known as XOR DDoS and was first identified in September 2014. Attackers install it on Linux systems, including embedded devices such as Wi-Fi routers and network-attached storage devices, by guessing SSH (Secure Shell) login credentials using brute-force attacks.
The credentials are used to log into the vulnerable systems and execute shell commands that download and install the malicious program. To hide its presence, the malware also uses common rootkit techniques.
The security response team from Akamai Technologies has observed multiple recent attacks originating from the XOR DDoS botnet, ranging from a few gigabits per second to over 150.
The botnet is being used to attack over 20 targets a day, 90% of which are located in Asia. The most frequent targets have been companies from the online gaming sector, followed by educational institutions, the Akamai team said in an advisory that contains an analysis of the malware, indicators of compromise and detection rules.
XOR DDoS is one of several malware programs that target Linux systems, and reflects a wider trend of hijacking poorly configured Linux-based systems for use in DDoS attacks. Old and unmaintained routers are especially vulnerable to such attacks, as several incidents have shown over the past two years.
"A decade ago, Linux was seen as the more secure alternative to Windows environments, which suffered the lion’s share of attacks at the time, and companies increasingly adopted Linux as part of their security-hardening efforts," the Akamai team said. "As the number of Linux environments has grown, the potential opportunity and rewards for criminals has also grown. Attackers will continue to evolve their tactics and tools and security professionals should continue to harden their Linux based systems accordingly."