Linux systems are everywhere and are a key part of the Internet infrastructure. However, devices are also Linux systems Internet of Things (IoT) χαμηλής κατανάλωσης energyand have become the main target for malware targeting Linux.
With billions of Internet-connected devices such as cars, refrigerators, and network devices, IoT devices have become a primary target for some malware - and in particular for denial-of-service attacks (DDoS).
Security company CrowdStrike reports in a new report that the most common families of malware targeting Linux in 2021 were XorDDoS, Mirai and Mozi. These malware accounted for 22% of all IoT malware targeting Linux that year.
It was also the main lever of malware targeting all systems running Linux. These attacks increased by 35% in 2021 compared to 2020.
Mozi, which appeared in 2019, is a peer-to-peer botnet that uses the distributed hash table (DHT) (a lookup system) and looks for weak passwords accessς Telnet και γνωστές vulnerabilities to target networking, IoT and video recording devices. Using DHT allows Mozi to hide command and control communication behind legitimate DHT traffic. There were 10x more Mozi samples in 2021 compared to 2021, Crowdstrike reports.
XorDDoS, a Linux botnet for large-scale DDoS attacks, exists at least since 2014 and scans the network for Linux servers with SSH that is not protected by a strong password or encryption keys. It tries to guess the password to give the intruders remote control of the device.
More recently, XorDDoS has started targeting Docker clusters in the cloud rather than routers and smart devices connected to the Internet. Docker containers are attractive for cryptocurrency mining software because they provide more bandwidth, CPU and memory. DDoS malware uses IoT devices because they provide more network protocols for abuse. However, as too many IoT devices have become infected, Docker clusters have become an alternative target.
According to CrowdStrike, some variants of XorDDoS are designed to scan and search Docker servers with port 2375 open, giving remote access without a root password to the host. This may give the attacker root access to the machine.
XorDDoS malware samples increased by 123% in 2021 compared to 2020, according to the company.
The Mirai also spreads targeting Linux servers with weak passwords. The most common Mirai variants today include the Sora, IZIH9 and Rekai, which increased by 33%, 39% and 83% respectively in 2021, according to CrowdStrike.
