Microsoft Sounds Alarm On Linux Botnet, Windows Maker Says The Numbers Are Scary But Won’t Release Them

Microsoft has sounded the alarm about a DDoS malware called XorDdos that targets Linux endpoints and servers. In the past six months, we’ve seen a 254% increase in the activity of a Linux trojan called XorDdos, Microsoft says. Another flaw showing that there’s nothing in Linux that makes it intrinsically more reliable than Windows?

Last month, Microsoft said it discovered vulnerabilities that would allow people with influence on many Linux desktop systems to quickly gain root system privileges. This was the latest privilege escalation flaw discovered by Microsoft in the Linux operating system.

According to one user, Microsoft employs some of the best security researchers in the world and regularly discovers and fixes important vulnerabilities, often before using them in ecosystems. What this discovery actually demonstrates is what anyone with half a clue already knew: There’s nothing about Linux that makes it inherently more reliable than Windows.

XorDdos illustrates the trend of malware increasingly targeting Linux-based operating systems, which are often deployed on cloud infrastructure and Internet of Things (IoT) devices, warns Microsoft.

DDoS attacks themselves can be very problematic for many reasons, but these attacks can also be used as a cover to hide other malicious activities, such as the use of malware and infiltration of target systems. Using a botnet to conduct DDoS attacks could potentially cause significant disruptions, such as the 2.4 Tbps DDoS attack that Microsoft mitigated in August 2021.

Botnets can also be used to compromise other devices, and XorDdos Secure Shell (SSH) has been known to use brute force attacks to gain remote control of target devices. SSH is one of the most common protocols in IT infrastructures and enables encrypted communication over unsecured networks for remote system management, making it an attractive vector for attackers. Once XorDdos identifies valid SSH credentials, it uses root privileges to run a script that downloads and installs XorDdos on the target device.

A typical XorDdos malware attack vector

XorDdos uses evasion and persistence mechanisms that ensure its operations remain robust and unobtrusive. The evasion capabilities include obfuscation of malware activity, evasion of rule-based detection mechanisms and hash-based malicious file searches, as well as using anti-forensic techniques to break the process tree analysis.

Microsoft says it has noticed in recent campaigns that XorDdos hides malicious activity from scanning by overwriting sensitive files with a null byte. It also includes several persistence mechanisms to support different Linux distributions. XorDdos can illustrate another trend seen across platforms where malware is used to deliver other dangerous threats.

Microsoft also says it has found that devices infected with XorDdos first are then infected with other malware, such as Backdoor, which then deploys the XMRig coin miner. While we haven’t seen XorDdos directly install and distribute secondary payloads like Tsunami, it’s possible that the Trojan is being used as a vector for tracking activity, Microsoft says.

Microsoft Defender for Endpoint protects against XorDdos by detecting and remediating the Trojan’s modular, multi-step attacks across the attack chain and all possible endpoint tracking activities. XorDdos mainly spreads via brute force of SSH. It uses a malicious shell script to try different combinations of root credentials on thousands of servers until it finds a match on a Linux target device. As a result, many failed login attempts can be seen on devices infected with the malware:

failed login attempts on a device affected by XorDdos

Microsoft has established two of XorDdos’ initial access methods. The first method is to copy a malicious ELF file to the temporary file store /dev/shm and then run it. Files written to /dev/shm are deleted on system reboot, which can hide the source of infection during forensic analysis.

The second method is to run a bash script that performs the following activities from the command line:

  1. To find a writable folder, navigate to the following folders:
    • /bin
    • /House
    • /carrot
    • /tmp
    • /usr
    • /etc
  2. If a writable directory is found, change the working directory to the writable directory found;
  3. Use the curl command to download the payload of the ELF file from a remote location hxxp://Ipv4PII_777789ffaa5b68638cdaea8ecfa10b24b326ed7d/1[.]txt and save the file as ygljglkjgfg0;
  4. Change the mode of the file to “executable”;
  5. Executes the payload of the ELF file;
  6. Moves and renames the Wget binary to evade rule-based detections triggered by malicious use of the Wget binary. In this case, it renames the Wget binary to good and moves the file to the following locations:
    • mv /usr/bin/wget /usr/bin/good
    • mv /bin/wget /bin/good
  7. Attempts to download the payload a second time from the ELF file, now using only the correct file and not the Wget binary;
  8. After executing the ELF file, uses an anti-forensic technique that hides the previous activity by overwriting the contents of certain sensitive files.

Microsoft Recommendations for Defense Against Linux Platform Threats

The modular nature of XorDdos provides attackers with a versatile Trojan that can infect various Linux system architectures. SSH’s brute force attacks are a relatively simple yet effective technique for gaining root access to a number of potential targets.

Capable of stealing sensitive data, installing a rootkit device, using various evasion and persistence mechanisms, and launching DDoS attacks, XorDdos allows cybercriminals to cause potentially significant disruptions to target systems. In addition, XorDdos can be used to introduce other dangerous threats or provide a vector for activity tracking.

XorDdos and other threats to Linux devices underline the critical importance of security solutions with rich capabilities and full visibility across many Linux operating system distributions, Microsoft said. Microsoft Defender for Endpoint provides such visibility and protection against these emerging threats through anti-malware and next-generation access point (EDR) detection and response capabilities.

According to Microsoft, Microsoft Defender for Endpoint can detect and remediate XorDdos and its multi-step modular attacks by leveraging insights gained from integrated threat data, including client and cloud heuristics, machine learning models, memory analytics, and behavioral monitoring.

Source: Microsoft

And you?

What is your opinion on the subject?

What do you think about this vulnerability discovered by Microsoft in Linux?

XorDdos illustrates the trend of malware increasingly targeting Linux-based operating systems, Microsoft says. do you agree?

There’s nothing in Linux that makes it inherently more reliable than Windows, would you agree?

Also see:

Linux and Raspberry Pi machines become prime targets for credential hacking, hackers gain access to servers using the same default passwords

12-year-old bug in polkit allows getting root rights on major GNU/Linux distributions, Ubuntu and Red Hat have already released fixes

The number of malware infections targeting Linux devices increased by 35% in 2021, with XorDDoS, Mirai and Mozi being the most common, accounting for 22% of attacks

Microsoft blocks downloaded macros from the web in five Office apps by default to fight ransomware and other malware

#Microsoft #Sounds #Alarm #Linux #Botnet #Windows #Maker #Numbers #Eng #Wont #Release

Leave a Reply

Your email address will not be published.