There is a new campaign where bad guys use Secure Shell (SSH) brute force attacks to install a piece of distributed denial of service (DDoS) malware on systems.
The malware, called XOR.DDoS, first saw the light of day in September from the Malware Must Die research group, which linked it to China. XOR.DDoS is different from other DDoS bots because it’s in C/C++ and it uses a rootkit component for persistence, said security researchers at FireEye.
FireEye started analyzing XOR DDoS in mid-November when it spotted SSH brute force attacks against its global threat research network coming from IP addresses belonging to Hee Thai Limited, an organization apparently based in Hong Kong. The security firm saw more than 20,000 SSH login attempts per server in the first 24 hours.
The second phase of the campaign took place between November 19 and November 30. By the end of November, FireEye had observed 150,000 login attempts from almost every IP address belonging to Hee Thai Limited. The third phase, which according to researchers is more “chaotic” than the previous two, started on December 7 and continues today. Nearly 1 million login attempts were on each server by the end of January.
In case an SSH password ends up successfully brute-forced, the attackers log in to the targeted server and execute SSH shell commands. They extract kernel headers and version strings from the targeted device and use them to create customized malware that’s compiled on-demand on sophisticated build systems.
Once it’s on a system, the XOR.DDoS malware connects to its command and control (C&C) server, from which it gets a list of targets. In addition to DDoS attacks, the bot is also capable of downloading and executing arbitrary binaries, and it can replace itself with a newer variant by using a self-update feature.
The problem for victims is the SSH commands used by the attackers don’t show up in logs, FireEye said.
“Linux servers running the standard OpenSSH server will only see a successful login in their logs, followed by an immediate logout and no further activity,” FireEye researchers said in a blog. “This commonly used feature of OpenSSH, interestingly enough, evades standard Linux logging facilities. The OpenSSH server does not log remote commands, even when logging is configured to the most verbose setting.”
The rootkit component, whose main goal is to hide indicators of compromise at kernel level, loads as a loadable kernel module (LKM), the security firm said.
Researchers found two variants of XOR.DDoS in the wild. Both variants can be compiled for x86, ARM and other platforms as well.