DDoS Attacks Taking Aim at Linux – But is it a Linux Problem, or a Human One?

There’s a certain amount of cackling that happens when one operating system has a vulnerability exposed, is hit with a major security breach or is targeted by attackers while other operating systems go untouched. It isn’t malicious, it’s more a matter of rivalry. Windows vs. Mac OS X vs. Linux is a tale as old as the digital age.

DDoS attack in progress

However, when it comes to the XOR botnet which is composed of infected Linux computers that’s taking aim at up to 20 targets a day with potent DDoS attacks, non-Linux users may need to hit pause on any feelings of superiority. Here’s what you need to know about the XOR botnet, the human error element, and how to keep from contributing to or getting hit with a DDoS attack.

A XOR botnet primer

The XOR botnet was uncovered when security researchers looked into attacks that were being aimed at gaming and educational websites, upwards of 20 per day. These sites have been on the receiving end of up to 150 Gbps of malicious traffic, enough to take some of these sites offline and rendering them unusable.

In tech speak, XOR is a malware for the Linux operating system that logs in to the command shell of Linux computers and utilizes root privileges to execute a malicious binary file. This enlists a machine as part of the XOR botnet.

Cracking the command shell

The crux of the XOR botnet issue is how the malware manages to log in to the command shell. As previously stated, there will be no feelings of OS-related superiority here: there has been no evidence uncovered that shows the XOR malware exploits any vulnerability in the Linux operating system.

So what is it exploiting? The answer won’t come as a surprise to anyone who regularly follows internet security news. It’s exploiting human error, or carelessness, or laziness. Whatever you prefer to call it. The XOR malware is guessing weak passwords used to secure the command shell (AKA Brute force attack).

Penguin on a slippery slope

Weak passwords are a slippery slope for your Linux system’s security (Shutterstock)

The bigger picture

While XOR isn’t exploiting a vulnerability in the Linux operating system, it doesn’t mean there aren’t any implications for Linux in general when it comes to security.

Roughly ten years ago, due to sheer popularity and widespread adoption it was Windows on the receiving end of the vast majority of attacks and other security-related incidents. The lesser-known and lesser-used Linux was seen as a more secure alternative, and was adopted by many people and organizations in an effort to increase security.

As Linux’s usage has grown, however, so has the size of the bullseye on its back. There’s too much opportunity for attackers to ignore. In the current security landscape, there simply is no secure operating system, and individuals and organizations need to treat their security accordingly.

Linux users’ next steps

First thing’s first: your Linux PC likely is not vulnerable to this particular malware. This is because in order to get into the command shell, XOR needs to find machines with SSH servers accessible to the Internet. This is NOT a default configuration for most Linux desktop systems. Unless you can recall enabling and configuring an internet-facing SSH server, you’re probably safe.

If you are not convinced that you’ve escaped the wrath of XOR, follow the instructions at the bottom of this article for checking your computer for infection, or removing the XOR DDoS malware.

Staying safe from DDoS attacks

Whether you’re running Linux, Windows, Mac OS X or any other operating system, let this be a wake-up call to anyone with default or otherwise weak passwords. For as long as these go unchanged, you are playing with fire, opening up your machine to recruitment into a DDoS botnet or any other number of malicious exploitations.

Furthermore, as bad as being an unwitting part of a DDoS attack-launching botnet is, it’s unfathomably worse to have your website be on the receiving end of a DDoS attack. Leaving aside having your website taken offline and rendered unavailable to users and the negative impact that has on consumer trust, unmitigated DDoS attacks have been shown to cause long-lasting consequences. This includes hardware damage, software damage, and the theft of intellectual property, confidential data, and financial information. Not to mention the cost of dealing with an unmitigated DDoS attack, which can run a large organization upwards of $40,000 per hour.

Over the past few years, DDoS attacks have exploded in size, frequency and popularity as an attack method. This is not the time for websites to be going without professional DDoS protection services.

The bottom line

If your website is targeted with a DDoS attack, you’ll undoubtedly want to be able to tell people you didn’t have to worry about it because you had the foresight to invest in professional DDoS protection. And if your computer is ever taken over as a bot, you’ll want to be able to angrily blame a flaw in your operating system instead of admitting that your password was ‘password.’ Take the necessary precautions. You’ll be glad you did.


Leave a Reply

Your email address will not be published. Required fields are marked *