About xor DDOS malware

XOR DDOS – Tsunami SYN Flood ramping up to 140 Gbps attack against public network backbone.

XOR DDOS attack aggressive last year (2015). Xor DDOS attack triggers by Botnet. The attack capability able to reproduce 150Gbps attack vector. Since the coverage of mobile computing especially cellphone users on demand today. The OS kernel of mobile phone is linux. The architecture of XOR DDOS attack relies on botnet. And the attack target is Linux OS.
This type of attack growth rapidly today. The hackers through TCP 3502 port connect to victim device trigger attack.The objective of attacks are based on flood mechanism (Syn flood and DNS flood).

Historical changes of the MD-5 checksum values:

Oct 2015 – 238ee6c5dd9a9ad3914edd062722ee50

Oct 2015 – 2edd464a8a6b49f1082ac3cc92747ba2

Nov 2014 – fd3f2c810f4391be2e6b82429c53c318 (Attack target specify Linux OS)

Hackers custom cocktail attack mechanism:

SYN and DNS floods generated by the Xor.DDoS Malware have very specific characteristics. The payload consists of garbage memory data, this memory capable to store passwords and ssh private keys.

The attacker will send many SYN packs to victim host with multiple sources. The attack will be launched on port 22 (ssh). This attack is very effective if syn_cookies are turned off. Please be remind that syn_cookies turned off by default on Linux.SYN cookies are now a standard part of Linux and FreeBSD.

DNS floods are symmetrical DDoS attacks. These attacks attempt to exhaust server-side assets (e.g., memory or CPU) with a flood of UDP requests. Since DNS servers rely on the UDP protocol for name resolution, and is a Layer 3 attack. With UDP-based queries (unlike TCP queries), a full circuit is never established, and thus spoofing is more easily.

Design objective of XOR malware:

SYN Cookies is a simple DDoS defence today, and probably suitable for all Internet hosting including mail server and corporate web servers. 500 units of compromised mobile computing devices with an average 200 Kbs of bandwidth each launching an attack will fully utilize your 100Mbs network link.

Attack target:

From technical point of view, SYN Flood and DNS flood are effectively suspend the network connectivity and domain name lookup function. It clearly shown that engage this attack to ISP or Cloud services provider might bring a Tragedy to their business. As far as I know, ISP or Cloud services provider have mechanism to detect botnet in their network and monitor the malicious communications between bot and C&C server. But for victim hosts, since it is not run in the internal network. Even though you install malware detector, define Yara rule looks not help! I believed that this is one of the key topic which headache the ISP and cloud services provider.

For mitigation of the attack, a discussion will continuous on the next phase.