Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

XORDDOS Malware Information

    • Updated:
    • 16 Oct 2020
    • Product/Version:
    • Deep Security 12.0
    • Deep Security 12.5
    • Deep Security 20.0
    • Platform:

XOR DDoS is a Linux Trojan malware with rootkit capabilities that was used to launch large-scale DDoS attacks. Its name stems from the heavy usage of XOR encryption in both malware and network communication to the C&Cs. It is built for multiple Linux architectures like ARM, x86 and x64.

In 2014, a whitehat security research group detected a one-liner shell script being injected via ssh connection. The hack scheme is to spread a new DDoS mechanism using ELF to infect Linux based computers. A third party AV company concluded that the installation is customized to the victim's Linux environment for the sake of running an additional rootkit component.

This malware performs C&C communication in both directions using a hard-coded XOR key, hence its name XOR DDoS.


  • System Changes
    • Drops copies of itself to multiple directories
    • Auto-start mechanisms
  • Payload
    • Information Theft
    • Backdoor Commands
    • Downloads Files
    • Propagation
    • Rootkit Capability


  • Launches DoS/DDoS attacks

Malware routine can be found on the following virus reports:


Solutions Available:



The malware is usually found on Linux based servers. Since the malware has a capability to hide itself using its rootkit capabilities and XOR encrypted C&C communication, un-monitored and un-protected servers may not report the infection unless an administrator is able to see the unusual processes running or unusual connections to un-familiar IP addresses.

The threat investigator should look for the following visible indicators:

  • Auto-start mechanisms
  • Dropped copies of the malware
  • Unusual network connections to unknown IP addresses
  • Running processes usually showing as 8-10 random characters


Actions to Take:

Trend Micro Deep Security for Linux should be able to detect and clean this malware.

There are times that the DS agent doesn’t have permission to the locked file, so make sure that there’s no running process or service of XORDDOS (random characters), to fully clean this infection.

Integrity Monitoring Detection

Unix - Open Port Monitor (This rule monitors and logs for ports "Created" and "Deleted" in a Unix environment.)

For machines that have recurring detection, you can use ATTK for Linux and submit the logs to us for further analysis.

Related Blog:

Remove a Malware / Virus
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.