Custom Linux malware used in brute-force attacks

A new malware specifically targeting Linux users is being used to target servers and network devices to steal data, a security vendor warned this week.

 

FireEye said the Linux rootkit malware dubbed “XOR.DDoS” uses "multiple persistence mechanisms" including a rare Linux rootkit to attack victims.

 

Potentially, the attacks can hit desktop machines and mobile or embedded devices, it said.

 

"The campaign also utilizes complex attack scripts to serve the malware through a sophisticated distribution scheme that allows the attackers to compile and deliver tailored rootkits on-demand to infect x86 and ARM systems alike," researchers said.

 

FireEye said its global threat research network was flooded by SSH brute-force detections from computers appearing to come from “Hee Thai Limited.”

 

It said what was curious was the "sheer scale of the operation," as more than 20,000 SSH login attempts were noted per server were noted in the first 24 hours.

 

"The Hee Thai SSH brute force campaign always attempts to gain access to the root account," FireEye said.

 

If a login attempt is successful, the brute forcing machine immediately logs out and stops its attack, it added.

 

But then a second machine logs in to run a SSH remote command.

 

On the other hand, the attack delivers customized malware that may be compiled on-demand, making signature-based detection systems ineffective. — Joel Locsin/TJD, GMA News