XORDDOS Malware Information

- Updated:
- 16 Oct 2020
- Product/Version:
- Deep Security 12.0
- Deep Security 12.5
- Deep Security 20.0
- Platform:

Summary

XOR DDoS is a Linux Trojan malware with rootkit capabilities that was used to launch large-scale DDoS attacks. Its name stems from the heavy usage of XOR encryption in both malware and network communication to the C&Cs. It is built for multiple Linux architectures like ARM, x86 and x64.

In 2014, a whitehat security research group detected a one-liner shell script being injected via ssh connection. The hack scheme is to spread a new DDoS mechanism using ELF to infect Linux based computers. A third party AV company concluded that the installation is customized to the victim's Linux environment for the sake of running an additional rootkit component.

This malware performs C&C communication in both directions using a hard-coded XOR key, hence its name XOR DDoS.

Capabilities:

System Changes
- Drops copies of itself to multiple directories
- Auto-start mechanisms
Payload
- Information Theft
- Backdoor Commands
- Downloads Files
- Propagation
- Rootkit Capability

Impact:

Launches DoS/DDoS attacks

Malware routine can be found on the following virus reports:

Details

Solutions Available:

Detection	OPR
Trojan.Linux.XORDDOS.SMSH	15.569.00
ELF_XORDDOS.SM	16.163.00
ELF_XORDDOS.AP	16.165.00

Identification:

The malware is usually found on Linux based servers. Since the malware has a capability to hide itself using its rootkit capabilities and XOR encrypted C&C communication, un-monitored and un-protected servers may not report the infection unless an administrator is able to see the unusual processes running or unusual connections to un-familiar IP addresses.

The threat investigator should look for the following visible indicators:

Auto-start mechanisms
Dropped copies of the malware
Unusual network connections to unknown IP addresses
Running processes usually showing as 8-10 random characters

Installation:

Actions to Take:

Trend Micro Deep Security for Linux should be able to detect and clean this malware.

There are times that the DS agent doesn’t have permission to the locked file, so make sure that there’s no running process or service of XORDDOS (random characters), to fully clean this infection.

Integrity Monitoring Detection

Unix - Open Port Monitor (This rule monitors and logs for ports "Created" and "Deleted" in a Unix environment.)

For machines that have recurring detection, you can use ATTK for Linux and submit the logs to us for further analysis.

Related Blog:

XORDDoS, Kaiji Variants Target Exposed Docker Servers

Rating:

Category:

Remove a Malware / Virus

Solution Id:

000278087

Feedback

Did this article help you?

Thank you for your feedback!

What was the problem with this article?

The image(s) in the article did not display properly.

The article did not provide detailed procedure.

The article is hard to understand and follow.

The video did not play properly.

The article did not resolve my issue.

Others. Please specify.

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:

We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

Thanks for voting.

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:

We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

Need More Help?

XORDDOS Malware Information