XorDdos Botnet: DDoS threats and prevention strategies

XorDdos is a Linux Trojan malware that is capable of rootkits (a set of software tools that allow hackers to get back into the user's computer without being detected). It is used to launch large-scale botnet DDoS attacks. Its name derives from the heavy use of XOR encryption in both malware and network communication with C&Cs. XorDdos is usually built on many Linux platforms such as ARM, x86 and x64.

XorDdos has the ability to automatically guess passwords on thousands of Linux servers to find administrative credentials on servers with Secure Shell (SSH). In which, SSH is a network communication protocol used for remote system administration.

According to Crowdstrike, an American cybersecurity technology company based in Austin, Texas has also reported the growth of XorDDoS. They identified this as one of the Linux-based malware, they are most active in 2021.

The XorDdos malware has flourished thanks to the growth of Internet of Things (IoT) devices and forms the giant XorDdos Botnet.

XorDdos primarily runs on Linux variants, and targets misconfigured Docker clusters in the cloud. In it, Docker is an open source project that automatically deploys Linux and Windows applications into virtualized containers.

In addition to XorDdos, there are other leading malware groups that also target Internet of Things (IoT - Internet of Things) devices such as Mirai and Mozi.

According to analyzed figures from Microsoft, the XorDDoS botnet has grown by 254% in the past 6 months alone. This botnet has been infecting Linux computers for the past 8 years. They are mainly used by hackers to engage in distributed denial of service (DDoS) attacks.

According to Microsoft's warning, businesses need to strengthen their Linux server protection from Botnet XorDdos attacks. This botnet specializes in internet-scanning attacks to find SSH servers with weak passwords to attack. Once the hacker gains login credentials to the SSH servers, the XorDdos botnet will use root admin rights to install malware on Linux devices on its own. This botnet will use XOR-based encryption to control the infrastructure (Linux devices) at the request of the hacker.

XorDdos can easily bypass conventional detection techniques. In a recent report, Microsoft also discovered this malicious code has replaced important business data with an empty data set.

The capacity of XorDdos consists of a 32-bit Linux-format ELF file with a module binary written in C/C++. XorDdos used a daemon process running in the background. They are beyond the user's control and stop running only when the Linux computing devices are turned off.

XorDdos malware can run automatically when the system is rebooted thanks to some special scripts installed inside. XorDdoS botnet is often used by hackers to perform many DDoS attack techniques such as: SYN flood attack, DNS and ACK attack.

To combat the world's major botnet DDoS attacks requires the participation of a leading CDN (Content Delivery Network) network. The power of CDN has long been used by enterprises to reduce the impact of DDoS attacks to Terabytes per second (Tbps - Terabytes Per Second).

In which, VNIS (VNETWORK Internet Security) is the leading website security platform applying Multi CDN technology today. VNIS is confirmed by Gartner as the representative CDN provider in the market.

Multi CDN Network of VNIS is combined from many leading CDN providers globally, including CDN system Vietnam's largest - VNCDN. This is a CDN system with Server infrastructure located throughout the data centers (Data Centers) with international Tier III standards. This system has more than 280 PoPs located in 32 countries with domestic bandwidth of more than 3Tbps, carrying up to 6 billion requests at the same time.

The power of Multi CDN in the VNIS platform is capable of protecting businesses' websites from DDoS attacks on Layer 3 (network layer), Layer 4 (transport layer).

In addition to Multi CDN, VNIS also has a system of many web application firewalls (Multi WAF - Web Application Firewall) that allows blocking and filtering requests based on criteria such as headers, cookies, IP of users (users). This system allows to protect Layer 7 (Web application layer) from attacks belonging to OWASP's list of 10 security vulnerabilities (OWASP top 10) and XSS attacks, SQL injection (SQL Injection) ), Generic, Global Agents, HTTP Protocol…

The system has the function of automatically identifying requests as bots or real users, thereby making the right blocking decisions, increasing anti-DDoS effectiveness for the origin server without affecting operations. normal of the Web server system.

In addition to the ability to secure the Smart Website with artificial intelligence (AI) technology, VNIS is also enhanced with more comprehensive security capabilities when combined with the SOC (Security Operation) network security monitoring center system. Center) in many countries such as Taiwan, Hong Kong, Vietnam,...

Currently, VNIS is trusted by thousands of domestic and foreign customers in fields such as Education, Health, Entertainment, Journalism, Commerce, Logistics, Finance, Information Technology,...

To experience the botnet anti-DDoS service, businesses can leave their contact information below or call our hotline: (028) 7306 8789.