Xor DDoS

Linux trojan malware with rootkit capabilities

XOR DDoS is a Linux Trojan malware with rootkit capabilities that was used to launch large-scale DDoS attacks. Its name stems from the heavy usage of XOR encryption in both malware and network communication to the C&Cs. It is built for multiple Linux architectures like ARM, x86 and x64. Noteworthy about XOR DDoS is the ability to hide itself with an embedded rootkit component which is obtained by multiple installation steps.^[1] It was discovered in September 2014 by MalwareMustDie, a white hat malware research group.^[2]^[3]^[4] From November 2014 it was involved in massive brute force campaign that lasted at least for three months.^[5]

In order to gain access it launches a brute force attack in order to discover the password to Secure Shell services on Linux.^[6] Once Secure Shell credentials are acquired and login is successful, it uses root privileges to run a script that downloads and installs XOR DDoS.^[7] It is believed to be of Asian origin based on its targets, which tend to be located in Asia. ^[8]

References

^ "Linux DDoS Trojan hiding itself with an embedded rootkit". Avast. January 6, 2015. Retrieved September 7, 2019.
^ "MMD-0028-2014 - Linux/XOR.DDoS : Fuzzy reversing a new China ELF". Malware Must Die!. Retrieved September 7, 2019.
^ Constantin, Lucian (February 6, 2015). "Sneaky Linux malware comes with sophisticated custom-built rootkit". PCWorld (From IDG). Retrieved February 6, 2015.
^ Cimpanu, Catalin (September 29, 2015). "XOR DDoS Botnet Uses Compromised Linux Machines to Launch 150+ Gbps Attacks". Softpedia News. Retrieved September 29, 2015.
^ "Anatomy of a Brute Force Campaign: The Story of Hee Thai Limited". Threat Research Blog. FireEye. Archived from the original on March 18, 2015. Retrieved March 18, 2016.
^ "New Botnet Hunts for Linux — Launching 20 DDoS Attacks/Day at 150Gbps". thehackernews.com. Retrieved March 18, 2016.
^ "XOR DDoS Botnet Launching 20 Attacks a Day From Compromised Linux Machines, Says Akamai" (Press release). Cambridge, MA: Reuters. Archived from the original on March 18, 2016. Retrieved March 18, 2016.
^ "Threat Advisory: XOR DDoS | DDoS mitigation, YARA, Snort" (PDF). stateoftheinternet.com. Archived from the original on March 23, 2021. Retrieved March 18, 2016.

Hacking in the 2010s

← 2000s

Timeline

2020s →

Major incidents

2010	Operation Aurora (publication of 2009 events) Australian cyberattacks Operation Olympic Games Operation ShadowNet Operation Payback
2011	Canadian government DigiNotar DNSChanger HBGary Federal Operation AntiSec PlayStation network outage RSA SecurID compromise
2012	LinkedIn hack Stratfor email leak Operation High Roller
2013	South Korea cyberattack Snapchat hack Cyberterrorism attack of June 25 2013 Yahoo! data breach Singapore cyberattacks
2014	Anthem medical data breach Operation Tovar 2014 celebrity nude photo leak 2014 JPMorgan Chase data breach 2014 Sony Pictures hack Russian hacker password theft 2014 Yahoo! data breach
2015	Office of Personnel Management data breach Hacking Team Ashley Madison data breach VTech data breach Ukrainian Power Grid Cyberattack SWIFT banking hack
2016	Bangladesh Bank robbery Hollywood Presbyterian Medical Center ransomware incident Commission on Elections data breach Democratic National Committee cyber attacks Vietnam Airport Hacks DCCC cyber attacks Indian Bank data breaches Surkov leaks Dyn cyberattack Russian interference in the 2016 U.S. elections 2016 Bitfinex hack
2017	SHAttered 2017 Macron e-mail leaks WannaCry ransomware attack Westminster data breach Petya and NotPetya 2017 Ukraine ransomware attacks Vault7 data breach Equifax data breach Deloitte breach Disqus breach
2018	Trustico Atlanta cyberattack SingHealth data breach
2019	Sri Lanka cyberattack Baltimore ransomware attack Bulgarian revenue agency hack WhatsApp snooping scandal Jeff Bezos phone hacking incident

Hacktivism

Advanced
persistent threats

Individuals

Major vulnerabilities
publicly disclosed

Evercookie (2010)
iSeeYou (2013)
Heartbleed (2014)
Shellshock (2014)
POODLE (2014)
Rootpipe (2014)
Row hammer (2014)
SS7 vulnerabilities (2014)
JASBUG (2015)
Stagefright (2015)
DROWN (2016)
Badlock (2016)
Dirty COW (2016)
Cloudbleed (2017)
Broadcom Wi-Fi (2017)
EternalBlue (2017)
DoublePulsar (2017)
Silent Bob is Silent (2017)
KRACK (2017)
ROCA vulnerability (2017)
BlueBorne (2017)
Meltdown (2018)
Spectre (2018)
EFAIL (2018)
Exactis (2018)
Speculative Store Bypass (2018)
Lazy FP state restore (2018)
TLBleed (2018)
SigSpoof (2018)
Foreshadow (2018)
Dragonblood (2019)
Microarchitectural Data Sampling (2019)
BlueKeep (2019)
Kr00k (2019)

Malware

2010	Bad Rabbit Black Energy 2 SpyEye Stuxnet
2011	Coreflood Alureon Duqu Kelihos Metulji botnet Stars
2012	Carna Dexter FBI Flame Mahdi Red October Shamoon
2013	CryptoLocker DarkSeoul
2014	Brambul Black Energy 3 Carbanak Careto DarkHotel Duqu 2.0 FinFisher Gameover ZeuS Regin
2015	Dridex Hidden Tear Rombertik TeslaCrypt
2016	Hitler Jigsaw KeRanger Necurs MEMZ Mirai Pegasus Petya and NotPetya X-Agent
2017	BrickerBot Kirk LogicLocker Rensenware Triton WannaCry XafeCopy
2018	VPNFilter
2019	Grum Joanap NetTraveler R2D2 Tinba Titanium ZeroAccess botnet