A brute force campaign looking to set up a distributed denial of service (DDoS) botnet using a rare Linux rootkit malware has been launched, emanating from the servers of a Hong Kong-based company called Hee Thai Limited.
The malware, known as XOR.DDoS, was first spotted in September by security research firm Malware Must Die. But security firm FireEye says that new variants have been making their way into the wild, as recently as Jan.20.
XOR.DDoS is installed on targeted systems via SSH (Secure Shell) brute-force attacks that target both servers and network devices. And these are being carried out using complex attack scripts to serve the malware through a sophisticated distribution scheme that allows the attackers to compile and deliver tailored rootkits on-demand, to infect x86 and mobile ARM systems alike. Once infected, the hosts are enlisted to launch DDoS attacks.
“While typical DDoS bots are straightforward in operation and often programmed in a high-level script such as PHP or Perl, the XOR.DDoS family is programming in C/C++ and incorporates multiple persistence mechanisms including a rare Linux rootkit,” FireEye researchers noted in an analysis.
What’s notable about the Hee Thai attack is the sheer scale of the operation. Within 24 hours of first sighting back in November, FireEye had observed well over 20,000 SSH login attempts, per server. By the end of January, each server had seen nearly 1 million login attempts.
During this time period, traffic from 18.104.22.168/24 accounted for 63% of all observed port 22 traffic.
“Someone with a lot of bandwidth and resources really wanted to get into our servers,” FireEye researcher noted.
They also said that the campaign has been evolving. At the beginning, each IP address would attempt more than 20,000 passwords before moving on. It then dropped to attempting a few thousand passwords before cycling to the next, and repeat attacks also began to occur. Now, a new stage of the Hee Thai campaign is more chaotic than the previous two.
“The attacks now occur en masse and at random, frequently with multiple IPs simultaneously targeting the same server,” FireEye explained.
The Hee Thai campaign also features an on-demand malware build system. Using a sophisticated set of build systems, the malware harvests kernel headers and version strings from victims to deliver customized malware that may be compiled on-demand to deliver XOR.DDoS to the target machine.
This strategy makes hash signature-based detection systems ineffective for detecting XOR.DDoS.
“Brute force attacks are one of the oldest types of attacks,” FireEye researchers said. “Due to its ubiquity, there are numerous solutions available for defending against them. However a great many systems are vulnerable. Even in enterprise settings, network devices and servers in forgotten branch offices could be exposed to this threat.”