How to Detect Raising New XORDDOS Linux Trojan


Microsoft Defender Research team reported that they have seen an exponential (256%) raise in XOR.DDOS Linux Trojan attack in their detector platform within 6 months.

It was first discovered in September 2014 by independent Whitehat security research group MalwareMustDie, XorDdos (also known as DDoS.XOR) was named after its denial-of-service-related activities on Linux endpoints and servers as well as its usage of XOR-based encryption for its communications.

Cloud servers and Internet of Things Devices (IoT), which are running with Linux OS are coming targets for this trojan campaign, and after compromise, they are mostly used for DDoS attacks, the biggest of them happened in 2021 and caused 2.1Tbps DDoS attack.

Technical Analysis

First, the trojan tries SSH brute force on thousands of Linux machines at the same time from the already compromised machine, and once it gains an initial foothold. It will download the malicious ELF file using curl and it takes careful measures before and after saving the file, leaving no traces for forensics.

Source: Microsoft Defender; XOR.DDoS Attack Vectors

Now, Let’s discuss some of the capabilities of the payload:

  1. It will add itself in the /etc/init.d and crontab scripts to run the trojan whenever the system starts or run the downloaded payload every X minutes once. So it is a persistent threat.
  2. The malicious process does not run under users, but under the system and closes itself when the system shutdowns.
  3. We cannot decode the data on store or transit without a secret key, because It uses XOR-based encryption to obfuscate data.
  4. Spoofs the process names with face command names to avoid being detected by static rules.
  5. Some XorDDoS installs rootkits in the kernel to provide root access and hide all trojan-related traces from users. Not only these, but it also provides 12 more features to this trojan.
  6. It also hides open ports and services from the users using, kernel rootkits. So we won’t see these connections in netstat or any other normal port monitoring tools.

Also Read: Ransomware: How Attackers are Breaching Corporate Networks

Detection Methods

use case 1: Huge Failed sign-in in logins activity traces

  1. Look for failed log-in attempts across organizations or networks.
  2. Identify the source system isolate, continue the further investigations and find root causes.

use case 2: Creation of the XorDdos-specific dropped files

  1. Monitor for the malicious file drops or creations through File Integrity Mentoring
  2. Monitor for any changes in "/etc/cron.hourly/", "/lib/", "/lib/" and "/var/run/"

use case 3: Command-line of malicious process

  1. Monitor for unusual command executions such as cat resolve.conf or any other possible fake commands
  2. Use anomaly detector tools and algorithms to detect unusual behavior in command executions

Prevention Methods:

  1. Use strong SSH passwords or use private keys for accessing remote servers.
  2. Deploy File Integrity Monitoring solutions, without FIM capability we won’t be able to tell the changes in sensitive configuration files, like crontab or init.d directories.
  3. Deploy any network monitoring or visibility solutions

Indicators of Compromises


  • www[.]enoan2107[.]com:3306
  • www[.]gzcfr5axf6[.]com:3306
  • hxxp://aa[.]hostasa[.]org/config.rar

Known Malicious File Metas


#Possible file names related to XorDDoS trojan

File Locations for Monitoring Changes


Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

Note: This article is created solely to educate professionals in the cyber frontline to prepare for the old and new threats.

Previous articleCisco 8000 Series Routers Flaw Actively Exploited in the wild
Next articleMalicious Pymafka Drops Cobalt Strike on macOS, Windows and Linux


Please enter your comment!
Please enter your name here