XORDDoS, also known as XOR.DDoS, first appeared in the threat landscape in 2014 it is a Linux Botnet that was employed in attacks against gaming and education websites with massive DDoS attacks that reached 150 gigabytes per second of malicious traffic.
The Kaiji botnet was discovered by security researcher MalwareMustDie and the experts at Intezer Labs in April while it was targeting Linux-based IoT devices via SSH brute-force attacks.
Two variants of existing Linux botnet malware types targeting exposed Docker servers; these are XORDDoS malware and Kaiji DDoS malware .
Botnet operators are looking for Docker servers that expose port 2375, which is one of the two ports of the Docker API and it’s used for unauthenticated and unencrypted communications.
Experts pointed out that there is a notable difference between the attack methods implemented by the two malware variants. While the XORDDoS bot infects all the containers hosted on the Docker server, the Kaiji bot deploys the DDoS malware in its own container.
Upon compromising a Docker server, XORDDoS will run a sequence of commands to identify containers and infect them with the DDoS malware. The malware can also gather information about the compromised system, and it can download and execute other payloads.
URL linked to the attacker, experts discovered other malware such as Backdoor.Linux.DOFLOO.AB targeting Docker containers.Operators of the Kaiji bot scan the web for exposed Docker servers and deploy an ARM container that executed its binary. Operators leverage on a script to download and execute the main payload, and to remove Linux binaries that are basic components of the operating system but are not necessary for its DDoS operation.
Kaiji is also able to collect information about the compromised system, and of course to launch various types of DDoS attacks, including ACK, IPS spoof, SSH, SYN, SYNACK, TCP and UDP attacks.
Recommendations for security Docker servers:
1. Secure the container host. Take advantage of monitoring tools, and host containers in a container-focused OS.
2.Secure the networking environment. Use intrusion prevention system (IPS) and web filtering to provide visibility and observe internal and external traffic.
3.Secure the management stack. Monitor and secure the container registry and lock down the Kubernetes installation.
4.Secure the build pipeline. Implement a thorough and consistent access control scheme and install strong endpoint controls.
Adhere to the recommended best practices.
Use security tools to scan and secure containers.