A high- risk threat advisory for XOR DDoS proliferation was issued Tuesday by the Security Intelligence Response Team at Akamai. It seems that the malware dubbed XOR DDoS is targeting gaming and education websites. It was stated that the victims are targeted with distributed-denial-of-service attacks at 150 gigabytes per second of malicious traffic. According to Akamai, the botnet targeted approximately 20 victims per day. It seems that the vast majority of them were located in Asia. To be specific, we are talking about 90% of the victims.
Although Linux was considered to be much more secure than Windows, it seems that hackers have no limits. Maybe there were little to no attacks on Linux devices due to their small numbers. Nowadays, Linux has gain more terrain, so hackers started targeting Linux networks also. It seems that the XOR Trojan doesn’t spread by exploiting a host vulnerability, but through Secure Shell services. Of course, not every Secure Shell service is a potential victim of the hackers. The XOR Trojan spread through those Secure Shell services that were protected by weak passwords. This means that increasing the strength of their passwords might prevent Linux system administrators from being attacked. By improving their password, the systems will become less vulnerable to brute-force attacks and less likely to be affected by the XOR Trojan.
It seems that the author of the XOR Trojan is Asian. This allegation is based on the command-and-control IP addresses and source IP addresses of the attack payloads. Akamai representatives also showed that the primary risk from an XOR DDoS attack is being taken offline. It was also said that the success of these cyber attacks is mainly due to poor password management of different companies’systems. In order to simplify their activity, IT managers often choose to use the same password for different systems. Once one is hacked, the others are clear targets.
Fortunately, the XOR DDoS attacks can be prevented, and rather easily. The Security Intelligence Response Team at Akamai suggested that a regularly conducted network assessment is one of the basic steps that prevent companies’ IT systems from being compromised. Implementation of strong security policies and constant monitoring of network traffic are also of great importance. It was also suggested that companies should purchase redundant connections or get a DoS protection provider. these are meant to ensure that actions can be taken outside of their networks. These are protection measures every Linux user should take. Unfortunately, the XOR Trojan is so powerful that if a website is specially targeted by the botnet, defending against DDoS attacks can become quite difficult.
In order not to be affected by the XOR Trojan, Linux administrators should make sure that their passwords are as unique and complicated as they can possibly be. In addition to this measure a regular scan for malware is absolutely necessary. Let’s hope that the prevention measures will protect as many Linux networks as possible from the XOR Trojan.