Incident Response, Malware, TDR

Stealthy ‘XOR.DDoS’ trojan infects Linux systems, installs rootkit


A newly discovered trojan is infecting Linux systems and possibly building up an arsenal of devices to be used in distributed denial-of-service (DDoS) attacks, according to a blog post from Avast.

The new threat, XOR.DDoS, alters its installation depending on the victim's Linux environment and then later runs a rootkit to avoid detection. Although a similar trojan has been spotted in Windows systems, Peter Kálnai, malware analyst at Avast, said in a Wednesday interview with that this trojan ventures into relatively untapped territory by targeting Linux systems.

“It's very hard to set a rootkit component within a Linux boundary because it needs to agree with the versions of the victims' operating systems,” Kálnai said.

Attackers using XOR.DDoS prey on users who haven't changed default logins for their devices through brute force tactics against various network IDs. If successful, the trojan will then determine whether it's compatible with the kernel headers installed on the victims' systems and install a rootkit, if so.

“The rootkit hides all the files that are indicators of compromise, so the victims could not see those indicators,” Kálnai explained. “It also hides processes and other indicators of compromise.”

Kálnai said that the rootkit aspect of the attack was first spotted around October 2014. The trojan itself was initially detailed on MalwareMustDie in September 2014.

The trojan and its variants can infect 32-bit and 64-bit Linux web servers and desktops, as well as ARM architecture, which could indicate that routers, Internet of Things (IoT) devices, NAS storages and 32-bit ARM servers could be also be affected, the blog post said.

Not many infections have been detected yet, although those that have been do not follow a particular pattern. Both enterprises and individuals could be impacted, although Kálnai noted that individuals should be particularly aware of the threat, as enterprises typically have stronger security measures in place.

The Avast analyst also noted a small group is likely behind most infections because the trojan hasn't been spotted on any forums.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.