View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

XorDdos malware is targeting Linux and putting millions of devices at risk

Linux systems are becoming prime targets for the XorDdos malware, a new report claims.

By Claudia Glover

Hackers are increasingly deploying the XorDdos malware to infiltrate Linux systems and launch distributed denial of service (DDoS) attacks, with a large surge in attempted breaches in recent months. The open-source nature of Linux makes it a prime target for such malware, particularly when it is running on Internet of Things (IoT) connected devices where security updates are patchy. New legislation announced this month may help tackle the problem.

XorDdos malware is targeting devices built on Linux. (Photo by Inimma-IS/iStock)

XorDdos, so-called for its use of the XOR encryption algorithm, is used to carry out ‘SSH brute force’ attacks, where it tries to work out the log-in credentials of a device. “They’re trying to rely on the fact that people haven’t secured these devices,” says Bharat Mistry, technical director of the UK and Ireland at security company Trend Micro. “In some cases it might be just a default password.”

Though not a new malware, XorDdos is increasingly being used to target Linux systems, says Microsoft’s Defender 365 security team, which has noted a 254% increase in attempted hacks using the malware on Linux systems in the past six months. “By compromising IoT and other internet-connected devices, XorDdos amasses botnets that can be used to carry out distributed denial-of-service attacks,” a new report from Microsoft says.

Why is Linux vulnerable to XorDdos?

Linux’s open-source model means it is commonly used to underpin IoT devices and cloud infrastructure. But this is not without its downsides when it comes to security. “Linux is not like Windows where Microsoft controls the build,” Mistry says. “The fact that it’s open source means that different groups of people will be taking the base build and then they’ll be forking off and doing their own variant of that.”

For IoT device makers, getting to market quickly is often prioritised over security, Mistry says, and once a device is up and running there is no onus on the manufacturer to provide security updates. “You’re relying on someone who’s not really making any money on it to make sure that everything is up to date,” he says. “From a vendor’s point of view, once I’ve got it out in the market, that’s it.”

This means that “hundreds of millions of smart devices” are at risk, argues Mistry. “You’ve got light bulbs, you’ve got fans, you’ve got kettles, you’ve got fridges, doorbells,” all running on Linux, often with insufficient security. And, he says, “the problem is going to grow”. He explains: “No matter what we do to circumvent or mitigate these things, as long as software is being developed and not developed securely, this problem is just going to carry on. It’s just going to escalate.”

Why are DDoS attacks becoming more common?

DDoS attacks have enjoyed a surge in popularity in recent months as a simple weapon used by ransomware gangs and other cybercriminals. DDoS attacks were a key weapon deployed against Ukraine at the start of the invasion by Russia, for example. DDoS attacks are so popular with ransomware gangs that their use developed a term called “triple extortion.”

The botnets unleashed as part of DDoS attacks are not only growing, but the techniques underpinning their use are becoming more sophisticated. “They started off in the very early days as very simplistic attacks, but now they’re getting more and more sophisticated,” Mistry says. “If you look at the most recent ones, some of those botnets are targeting the application layer. They’re difficult to get around and from an attacker’s point of view, you don’t need as many resources.”

Content from our partners
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer
Financial management can be onerous for CFOs, but new tech is helping lighten the load

XorDdos malware: how can businesses protect themselves?

Mistry says there are ways businesses can protect themselves. “If you’re buying a cloud service, then make sure that the person who you’re buying the service from is going to regularly maintain and update that platform,” he says.

For IoT devices, new regulations may help improve security. As reported by Tech Monitor, the Product Security and Telecommunications Infrastructure bill, introduced in the Queen’s Speech earlier this month, will mandate manufacturers to remove default passwords and commit to a certain amount of security updates. Regulatory pressure could force IoT device manufacturers to put some security in,” Mistry says.

Read more: INCONTROLLER malware helps low skill gangs access critical systems

Topics in this article: , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU