Analytics Story: XorDDos

Date: 2024-12-17 ID: 0958965b-82ea-48d0-bc00-01f1457bc93f Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

XorDdos is a sophisticated Linux malware that compromises devices to conduct high-capacity Distributed Denial of Service (DDoS) attacks. It employs XOR-based encryption to conceal its communications and utilizes rootkit capabilities to evade detection. The malware typically infiltrates systems through brute-force attacks on SSH services, enabling unauthorized access. Once installed, it can launch DDoS attacks exceeding 150 Gbps. To detect XorDdos, monitor for unusual network traffic patterns, unexpected processes, and unauthorized access attempts. Implementing strong, unique passwords and regularly updating system security measures are essential to mitigate the risk of infection.

Why it matters

XorDdos is a sophisticated Linux malware strain known for leveraging infected devices to launch high-capacity Distributed Denial of Service (DDoS) attacks. First identified in 2014, XorDdos has evolved with advanced techniques to maintain stealth and effectiveness. The malware primarily targets Linux-based systems, infiltrating them through brute-force attacks on SSH services. Once compromised, it uses XOR-based encryption to mask its malicious activities and rootkit capabilities to evade detection. Detection involves monitoring for unusual system behavior, such as spikes in CPU usage, unexpected network traffic, and unauthorized SSH access attempts. Preventative measures include implementing strong passwords, disabling unused services, and ensuring systems are patched with the latest security updates. As this malware continues to adapt, maintaining robust cybersecurity practices is essential to defend against its growing threat.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Linux Add Files In Known Crontab Directories	Cron, Scheduled Task/Job	Anomaly
Linux Auditd File Permission Modification Via Chmod	Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification	Anomaly
Linux Auditd Insert Kernel Module Using Insmod Utility	Kernel Modules and Extensions, Boot or Logon Autostart Execution	Anomaly
Linux Auditd Kernel Module Enumeration	System Information Discovery, Rootkit	Anomaly
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File	Cron, Scheduled Task/Job	Hunting
Linux File Creation In Init Boot Directory	RC Scripts, Boot or Logon Initialization Scripts	Anomaly
Linux Ingress Tool Transfer Hunting	Ingress Tool Transfer	Hunting
Linux Ingress Tool Transfer with Curl	Ingress Tool Transfer	Anomaly
Linux Insert Kernel Module Using Insmod Utility	Kernel Modules and Extensions, Boot or Logon Autostart Execution	Anomaly
Linux Kernel Module Enumeration	System Information Discovery, Rootkit	Anomaly
Linux Possible Access To Credential Files	/etc/passwd and /etc/shadow, OS Credential Dumping	Anomaly
Linux Possible Append Cronjob Entry on Existing Cronjob File	Cron, Scheduled Task/Job	Hunting
Linux Possible Cronjob Modification With Editor	Cron, Scheduled Task/Job	Hunting

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Linux Auditd Path	Linux	`linux:audit`	`/var/log/audit/audit.log`
Linux Auditd Proctitle	Linux	`linux:audit`	`/var/log/audit/audit.log`
Linux Auditd Syscall	Linux	`linux:audit`	`/var/log/audit/audit.log`
Sysmon for Linux EventID 1	Linux	`sysmon:linux`	`Syslog:Linux-Sysmon/Operational`
Sysmon for Linux EventID 11	Linux	`sysmon:linux`	`Syslog:Linux-Sysmon/Operational`

References

Source: GitHub | Version: 1