CAMBRIDGE, Mass., Sept. 29, 2015 /PRNewswire/ --
- New threat advisory profiles several recent attack campaigns
from the XOR DDoS botnet
- The XOR DDoS botnet has grown and is now capable of mega
DDoS attacks of 150+ Gbps
- 90% of the DDoS attacks from the XOR DDoS botnet targeted
organizations in Asia
Akamai Technologies, Inc. (NASDAQ: AKAM), the global leader in
content delivery network (CDN) services, published today a new
cybersecurity threat advisory from the company's Security
Intelligence Response Team (SIRT). Attackers have developed a
botnet capable of 150+ gigabit-per-second (Gbps) distributed denial
of service (DDoS) attack campaigns using XOR DDoS, a Trojan malware
used to hijack Linux systems. The advisory detailing this threat in
full, including DDoS mitigation payload analysis and malware
removal information, is available for download here at
http://www.stateoftheinternet.com/xorddos.
What is XOR DDoS?
XOR DDoS is a Trojan malware that infects Linux systems,
instructing them to launch DDoS attacks on demand by a remote
attacker. Initially, attackers gain access by brute force attacks
to discover the password to Secure Shell services on a Linux
machine. Once login has been acquired, the attackers use root
privileges to run a Bash shell script that downloads and executes
the malicious binary.
"Over the past year, the XOR DDoS botnet has grown and is now
capable of being used to launch huge DDoS attacks," said
Stuart Scholly, senior vice
president and general manager, Security Business Unit, Akamai. "XOR
DDoS is an example of attackers switching focus and building
botnets using compromised Linux systems to launch DDoS attacks.
This happens much more frequently now than in the past, when
Windows machines were the primary targets for DDoS malware."
XOR DDoS Denial of Service Attacks
Akamai SIRT's research showed that the bandwidth of DDoS attacks
coming from the XOR DDoS botnet ranged from low, single-digit Gbps
to 150+ Gbps – an extremely large attack size. The most frequent
target was the gaming sector, followed by educational institutions.
The botnet attacks up to 20 targets per day, 90% of which were in
Asia. Of the DDoS attacks from the
XOR DDoS botnet Akamai has mitigated, several examples documented
on August 22-23 are profiled in the
threat advisory. One of the attacks was nearly 179 Gbps, and the
other was almost 109 Gpbs. Two attack vectors were observed: SYN
and DNS floods.
The IP address of the bot is sometimes spoofed, but not always.
The attacks observed in the DDoS campaigns against Akamai customers
were a mix of spoofed and non-spoofed attack traffic. Spoofed IP
addresses are generated such that they appear to come from the same
/24 or /16 address space as the infected host. A spoofing technique
where only the third or fourth octet of the IP address is altered
is used to prevent Internet Service Providers (ISPs) from blocking
the spoofed traffic on Unicast Reverse Path Forwarding
(uRPF)-protected networks.
DDoS mitigation of XOR DDoS attacks
Identifiable static characteristics were observed, including
initial TTL value, TCP window size, and TCP header options. Payload
signatures such as these can aid in DDoS mitigation. These are
available in the threat advisory. In addition, tcpdump filters are
provided to match SYN flood attack traffic generated by this
botnet.
How to detect and remove XOR DDoS malware
The presence of XOR DDoS can be detected in two ways. To detect
this botnet in a network, look for communications between a bot and
its C2 using a Snort rule provided in the advisory. To detect
infection of this malware on a Linux host, the advisory includes a
YARA rule that pattern matches strings observed in the binary.
XOR DDoS is persistent – it runs processes that will reinstall
the malicious files if they are deleted. Therefore removing the XOR
DDoS malware is a four-step process for which several scripts are
provided in the advisory:
- Identify the malicious files in two directories.
- Identify the processes that promote persistence of the main
process.
- Kill the malicious processes.
- Delete the malicious files.
Akamai continues to monitor ongoing campaigns using XOR DDoS to
launch DDoS attacks. To learn more about the threat, malware
removal and DDoS mitigation techniques, please download a
complimentary copy of the threat advisory at
www.stateoftheinternet.com/xorddos.
About Akamai Security Intelligence Response Team
(SIRT)
Focused on mitigating malicious global cyber threats and
vulnerabilities, the Akamai Security Intelligence Response Team
(SIRT) conducts and shares digital forensics and post-event
analysis with the security community to proactively protect against
threats and attacks. As part of its mission, the Akamai SIRT
maintains close contact with peer organizations around the world
and trains Akamai's Professional Services and Customer Care teams
to both recognize and counter attacks from a wide range of
adversaries. The research performed by the Akamai SIRT helps to
ensure Akamai's cloud security products are best of breed and can
protect against any of the latest application layer threats
impacting the industry.
About Akamai
As the global leader in Content Delivery Network (CDN) services,
Akamai makes the Internet fast, reliable and secure for its
customers. The company's advanced web performance, mobile
performance, cloud security and media delivery solutions are
revolutionizing how businesses optimize consumer, enterprise and
entertainment experiences for any device, anywhere. To learn how
Akamai solutions and its team of Internet experts are helping
businesses move faster forward, please visit www.akamai.com
or blogs.akamai.com, and follow @Akamai on Twitter.
Logo - http://photos.prnewswire.com/prnh/20100225/AKAMAILOGO
|
|
|
Contacts:
|
|
|
Rob Morton
|
|
Tom Barth
|
Media
Relations
|
|
Investor
Relations
|
617-444-3641
|
--or--
|
617-274-7130
|
rmorton@akamai.com
|
|
tbarth@akamai.com
|
To view the original version on PR Newswire,
visit:http://www.prnewswire.com/news-releases/xor-ddos-botnet-launching-20-attacks-a-day-from-compromised-linux-machines-says-akamai-300150442.html
SOURCE Akamai Technologies, Inc.