Solutions Available:
| Detection | OPR |
|---|---|
| Trojan.Linux.XORDDOS.SMSH | 15.569.00 |
| ELF_XORDDOS.SM | 16.163.00 |
| ELF_XORDDOS.AP | 16.165.00 |
Identification:
The malware is usually found on Linux based servers. Since the malware has a capability to hide itself using its rootkit capabilities and XOR encrypted C&C communication, un-monitored and un-protected servers may not report the infection unless an administrator is able to see the unusual processes running or unusual connections to un-familiar IP addresses.
The threat investigator should look for the following visible indicators:
- Auto-start mechanisms
- Dropped copies of the malware
- Unusual network connections to unknown IP addresses
- Running processes usually showing as 8-10 random characters
Installation:
Actions to Take:
Trend Micro Deep Security for Linux should be able to detect and clean this malware.
There are times that the DS agent doesn’t have permission to the locked file, so make sure that there’s no running process or service of XORDDOS (random characters), to fully clean this infection.
Integrity Monitoring Detection
Unix - Open Port Monitor (This rule monitors and logs for ports "Created" and "Deleted" in a Unix environment.)
Related Blog: