Linux botnet organizes DDoS attacks with 150 Gbps traffic and higher

A botnet from Linux devices has grown so much that it can generate attacks with a stream of more than 150 Gbit / s, which is many times higher than the infrastructure safety margin of an average company. About the beginning of such DDoS-attacks, researchers reported from Akamai Technologies.

A network worm, better known as the XOR DDoS , with which the botnet was collected, was detected in September 2014. In January of this year, user Habra Patr1ot07 published an article in which he spoke about how the malware works.
')

Infection starts with a SSH brute force attempt, using the root login. If successful, attackers gain access to the compromised machine, and then install a trojan, usually with a shell script. The script contains procedures such as main, check, compiler, uncompress, setup, generate, upload, checkbuild, etc. and variables __host_32__, __host_64__, __kernel__, __remote__ ,, etc. The main procedure decrypts and selects a C & C server based on the system architecture.

Researchers from Akamai Technologies claim that the latest botnet DDoS attacks had “power” from a few, up to 150 Gbit / s, and up to twenty targets per day are attacked. While the Asian region is taking the brunt of it, more than 90% of the XOR DDoS botnet's goals are located there. They are mainly attacked by companies operating in the field of online games, as well as educational institutions.

XOR DDoS is one of several network worms that specifically target Linux systems. The activity of the group that manages the malware reflects the general trend in the infection of equipment and the use of these facilities to conduct, first of all, DDoS attacks. The most vulnerable are poorly or not properly configured system, as well as "abandoned", but connected to the network equipment. Based on the statistics of the last two years, the latter is especially true for routers.

They write on online forums that the malware lives in /lib/libgcc4.so, and in / etc / crontab it is permanently saved with a three-minute timing for checking (* / 3 * * * * root /etc/cron.hourly/udev. sh) Even if the crontab is cleared, but the XOR DDoS continues to work, it will be restored at midnight on Friday. Fully post about it can be found here .

“Ten years ago, Linux was positioned as a safe alternative to Windows, which at that time was seriously affected by attacks, the lion’s share of which was precisely this OS family. Because of this, Linux has been more and more often used and used to increase the level of information security, but since the scope of application of this system has expanded, the possibilities of cybercriminals have expanded. Now attackers are actively developing tactics and tools for attacking Linux systems, so system administrators and security specialists should tighten their policies on the ground, ”commented Akamai Technologies.

Comments highly welcome the exchange of experience and comments from system administrators and information security specialists. Perhaps it will save someone from infection.