Linux malware is booming, so stay secure, Microsoft warns

(Image credit: Elchinator from Pixabay)

One particular strain of Linux malware has seen tremendous growth in the last six months, Microsoft says, urging Linux device owners to secure their endpoints.

The Redmond software giant claims XorDDoS malware’s usage in the last six months rose by 254%. While XorDDoS’ primary use case is, as its name would suggest, to build a Distributed Denial of Service (DDoS) botnet, it can also be used as a gateway for the distribution of additional payloads.

"We found that devices first infected with XorDdos were later infected with additional malware such as the Tsunami backdoor, which further deploys the XMRig coin miner," Microsoft said in its announcement. "While we did not observe XorDdos directly installing and distributing secondary payloads like Tsunami, it's possible that the trojan is leveraged as a vector for follow-on activities."

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Obfuscation techniques

XorDDoS, which uses XOR-based encryption to communicate with its C2 servers, is a relatively old malware strain, that’s been around since at least 2014. It owes its longevity to the fact that it’s relatively successful in evading detection by antivirus solutions, and has solid persistence tactics. 

"Its evasion capabilities include obfuscating the malware's activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis," Microsoft further said.

"We observed in recent campaigns that XorDdos hides malicious activities from analysis by overwriting sensitive files with a null byte."

The endpoint’s architecture isn’t an eliminatory factor, though, as the malware has been spotted infecting ARM devices (Internet of Things gear), as well as x64 servers. It compromises vulnerable ones via SSH brute-force attacks.

These findings are aligned with a recent report by Crowdstrike, which said malware for the popular OS increased by more than a third (35%) in 2021, compared just to the year prior. 

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.