Linux systems are everywhere and are a key part of the Internet infrastructure. However, low-power Internet of Things (IoT) devices are also Linux systems energy and have become the main target for malicious software targeting Linux.
With billions of Internet-connected devices such as cars, refrigerators, and network devices, IoT devices have become a primary target for some malware - and in particular for denial-of-service attacks (DDoS).
Security company CrowdStrike reports in a new report that the most common families of malware targeting Linux in 2021 were XorDDoS, Mirai and Mozi. These malware accounted for 22% of all IoT malware targeting Linux that year.
It was also the main lever of malware targeting all systems running Linux. These attacks increased by 35% in 2021 compared to 2020.
Mozi, which appeared in 2019, is a peer-to-peer botnet that uses the distributed hash table (DHT) (a lookup system) and looks for weak passwords access Telnet and known vulnerabilities to target networking, IoT, and video recording devices. Using DHT allows Mozi to hide command and control communication behind legitimate DHT traffic. There were 10x more Mozi samples in 2021 compared to 2021, Crowdstrike reports.
XorDDoS, a Linux botnet for large-scale DDoS attacks, exists at least since 2014 and scans the network for Linux servers with SSH that is not protected by a strong password or encryption keys. It tries to guess the password to give the intruders remote control of the device.
Πιο πρόσφατα, το XorDDoS άρχισε να στοχεύει συμπλέγματα Docker στο cloud και όχι δρομολογητές και έξυπνες συσκευές συνδεδεμένες στο διαδίκτυο. Τα κοντέινερ Docker είναι ελκυστικά για malware εξόρυξης κρυπτονομισμάτων επειδή παρέχουν περισσότερο εύρος ζώνης, CPU και μνήμη. Το κακόβουλο λογισμικό DDoS χρησιμοποιεί τις συσκευές IoT επειδή παρέχουν περισσότερα πρωτόκολλα δικτύου για κατάχρηση. Ωστόσο, καθώς έχουν μολυνθεί πάρα πολλές συσκευές IoT, τα συμπλέγματα Docker έγιναν ένας εναλλακτικός στόχος.
According to CrowdStrike, some variants of XorDDoS are built to scan and probe Docker servers with port 2375 open, offering remote access without a root password to the host. This can give the attacker root access to the machine.
XorDDoS malware samples increased by 123% in 2021 compared to 2020, according to the company.
The Mirai also spreads targeting Linux servers with weak passwords. The most common Mirai variants today include the Sora, IZIH9 and Rekai, which increased by 33%, 39% and 83% respectively in 2021, according to CrowdStrike.