The latest botnet in the news isn’t running on Windows. Instead, the XOR DDoS malware has created a botnet made up entirely of Linux systems.
This botnet is designed to attack servers with powerful distributed denial-of-service (DDoS) attacks. It’s now powerful enough to direct over 150 Gbps of traffic at servers, according to Akamai.
No, your Linux desktop isn’t vulnerable
The XOR DDoS malware was first identified in September of last year. Some websites are reporting that this takes advantage of a security vulnerability on Linux systems to infect them. It doesn’t. Instead, it finds Linux systems with SSH servers accessible to the Internet and attempts to brute-force their passwords, guessing over and over until it’s allowed in.
Secure shell (SSH) is a server that gives access to a remote shell on a computer, allowing anyone who logs in to run any commands they like. Typical Linux desktop systems just don’t have an SSH server enabled and configured by default, so they’re just not vulnerable to this attack. That’s the end of the story —you only need to worry about the XOR DDoS malware if you’ve enabled an SSH server and made it accessible to the Internet.
Poorly configured Linux servers are vulnerable
You’re under fire if you’ve installed an SSH server on a Linux system and made it available to the Internet. XOR DDoS scans the Internet for these systems and attempts to guess passwords until it’s allowed in. It then installs the XOR DDoS malware on the computer, which uses rootkit-like techniques to disguise itself.
This is just taking advantage of poorly configured SSH servers. A properly configured SSH server should be running on another port so it’s harder to find, require a private key rather than just a password, and should automatically block login attempts after a few failed ones. This would prevent the attack. Restricting access to the SSH server to specific IP addresses that need it would also help.
XOR DDoS is just one malicious actor trying to crack poorly configured SSH servers. Anyone running a public SSH server will see frequent attempts to attack it in their server logs.
Linux-based routers are in trouble, too
Unfortunately, this isn’t just restricted to Linux servers you might have set up on your own. Many routers use Linux, and home routers are often outdated, not supported with security patches, and not set up securely. Linux-based routers could be cracked by this malware if they don’t properly secure their SSH servers and make them available to the Internet. Home router security is a nightmare.
Linux isn’t perfectly secure, but there’s no big Linux exploit story here. The real problem is how many poorly configured Linux systems exist in the real world. Linux isn’t a magic bullet that will make a system secure—it has to be locked down properly, too.