The Microsoft 365 Defender Research Team has observed a 254% increase in activity from a Distributed Denial of Service (DDoS) oriented malware known as XorDdos. The moniker of this malware is derived from its DDoS related abilities and its use of XOR-based encryption for Command and Control (C2) communications.
XorDdos is known for using SSH brute force attacks to gain control of remote devices, as well as it’s evasion and persistence mechanisms. This malware can also be used to deliver various other malicious scripts and executables.
This malware employs a number of evasion tactics such as daemonizing processes to break process-tree based analysis, XOR-based encryption, process masquerading, kernel rootkits, and process and port obfuscation. In concert, these methods make detection of this threat more complicated and comprehensive.
In regards to persistence mechanisms, XorDdos has a number of them in its arsenal including:
- Init scripts
- Cron scripts
- System V runlevel
- Auto-start services via update-rc.d
These offer the threat actor a myriad of ways to maintain persistence, as well as compatibility with many different types of Linux, including Linux running on IoT devices.
While the behavior of XorDdos does present concerning capabilities, its main mechanism of initial access is via SSH brute forcing. SSH configurations can be hardened to eliminate SSH brute forcing completely by using SSH key based authentication. In scenarios where SSH Key based authentication isn’t possible, brute forcing can be effectively mitigated by using strong passwords for all users using SSH. Disabling root login via SSH is also highly recommended, and often disabled by default in modern installations of SSH. Another method is to install ‘fail2ban’. This software is highly configurable, but at its core it allows authentication timeouts for repeated failed SSH authentication attempts.