A significant evolution in distributed denial-of-service (DDoS) malware has been detected, with the latest version of XorDDoS continuing to spread globally between November 2023 and February 2025.

This Linux-targeting trojan transforms compromised machines into “zombie bots” that can be coordinated to execute powerful DDoS attacks against specified targets.

The malware primarily propagates through SSH brute-force attacks, attempting numerous root credential combinations across thousands of servers until successfully gaining access to vulnerable Linux devices.

Once inside a system, XorDDoS deploys sophisticated persistence mechanisms, ensuring automatic execution at system startup while effectively evading detection by security products.

Cisco Talos researchers identified that over 70 percent of attacks using XorDDoS targeted the United States during the monitoring period.

The analysis of language settings in the malware’s multi-layer controller, builder, and controller binding tools strongly suggests that the operators are Chinese-speaking individuals.

“We discovered the latest version of the XorDDoS controller, called the ‘VIP version,’ and its corresponding central controller were used to build the DDoS bot network for more sophisticated and widespread attacks,” noted Cisco Talos in their recent analysis.

This central controller enables threat actors to manage multiple XorDDoS sub-controllers simultaneously, significantly enhancing their ability to coordinate large-scale attacks.

The geographic impact extends beyond the United States, with compromised systems attempting to target and attack several countries including Spain, Taiwan, Canada, Japan, Brazil, and numerous European nations.

Infection Chain and Persistence Mechanisms

The infection process begins when XorDDoS successfully breaches a Linux device through SSH brute-forcing.

Once inside, it deploys a malicious shell script that implements robust persistence mechanisms through init scripts and cron jobs.

These scripts are embedded within the malware itself:-

"# Provides:\t\t%s\n"
"# Required-Start:\t\n"
"# Required-Stop:\t\n"
"# Default-Start:\t1 2 3 4 5\n"
"# Default-Stop:\t\t\n"
"# Short-Description:\t%s\n"
"### END INIT INFO\n"




The malware ensures its continuous operation by installing these init scripts across multiple run levels and adding a cron job that executes every three minutes.



The script includes commands like: "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"



XorDDoS uses the same decryption function and XOR key “BB2FA36AAA9541F0” to decrypt its embedded configuration.



Once URLs or IPs are decrypted, they’re added to a remote list used to establish communication with command-and-control servers. This sophisticated encryption mechanism helps the malware evade detection while maintaining constant communication with its controllers.



The malware’s communication protocol follows a complex pattern, where the CRC header changes to “5343f096000000000200000000000000000000000000000000000000” after successfully establishing a connection, functioning similarly to basic client-server authentication before executing commands.



Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
The post New XorDDoS Malware Allows Attackers to Create Sophisticated DDoS Bot Network appeared first on Cyber Security News.
				
18 April  2025
				>> Read More