back to article Microsoft sounds the alarm on – wait for it – a Linux botnet

Microsoft has sounded the alarm on DDoS malware called XorDdos that targets Linux endpoints and servers. The trojan, first discovered in 2014 by security research group MalwareMustDie, was named after its use of XOR-based encryption and the fact that is amasses botnets to carry out distributed denial-of-service attacks. Over …

  1. Pete 2 Silver badge

    knock, knock.

    > the malware uses secure shell (SSH) brute force attacks to gain control on target devices.

    So basically this is a 254% increase in easily guessed root passwords on systems exposed to the internet.

    1. Androgynous Cupboard Silver badge

      Re: knock, knock.

      I'd assumed that, given SSH as root is almost always disabled by default, they were going in as regular users and then trying for sudo. But apparently not: From the report

      > It uses a malicious shell script to try various root credential combinations across thousands of servers

      Well, that's not going to be terribly effective is it? Banging on a locked door.

      1. Dave Null

        Re: knock, knock.

        Depends. Are all those millions of doors locked? Or are they made up of a bunch of insecure Internet of Shit devices that are out there in the consumer space, that maybe have default PWs?

        1. Peter Gathercole Silver badge

          Re: knock, knock.

          Most of the IoT devices running old versions of Linux will be attached to LANs behind a NAT router. This makes it impossible for someone on the Internet to even get to them to try to brute force the root password.

          The only exception to this is if the IoT device uses UPnP to knock holes in the firewall and NAT protection that the router provides. But they would be NUTS to open port 22 via UPnP, even if it were possible.

          I suppose that it may be possible that they run SSH on a non-standard port, and ask that to be opened via uPnP, but I would be surprised if they even did that, and if they did, it would be a case of guess-the-port before you even start the attack.

          Anyway, all sensible people turn UPnP of on their router, don't they?

          I monitor inbound intrusion attempts on my home network (I have a full-port redirect to a Linux firewall - which had password login disabled in the SSH config, in case you ask), I noticed an uptick of login attempts (at it's peak it was about 100 a minute, from about half-a-dozen different source addresses) using a variety of user ID and passwords just after the new year. As a precaution, I switched off the port redirect, and I've not needed to turn it back on, so it has remained off. But there was definitely something going on. Not sure if I was being specifically targeted, but that seems a little unlikely.

          1. heyrick Silver badge

            Re: knock, knock.

            I had a basic tilt and turn IP camera. A VGA quality service with a MIPS processor.

            It was running a cut down version of Linux with some extra blobs to provide the functionality. One of those bits was the Go-ahead server.

            Turns out that it had a CRITICAL flaw. If you sent an HTTP request and omitted the initial /, it would send the information requested completely ignoring and password controls. So it was entirely possible to throw together some BASIC on my Pi to extract the configuration file (which was saved in the same place as the UI web pages, thus accessible). This gives you the login passwords and the passwords for the AP and any email or FTP services used. Plus it means you can log in and push your own firmware upgrade to the device.

            Okay, granted, these hacks are specific to this type of device (it and all the other branded clones). But if this is an idea of the level of security in the domestic IoT arena, well, I would not be surprised if the world wasn't rife with shitty easily hacked bits of cheap Chinese tech.

            I contacted the company asking for the source code. Never heard back, though to be fair I think their entire involvement with the device was sticking their label on the front...

            And, yes, uPNP and WPS are disabled around these parts. Anything else is crazy.

            1. Peter Gathercole Silver badge

              Re: knock, knock.

              I keep getting the capitalization of uPNP wrong. I just seem to have a mental block on it!

          2. heyrick Silver badge
            Meh

            Re: knock, knock.

            "But there was definitely something going on."

            I run a custom server on my machine. It uses port 23 (it's a BBS). It's been clobbered more than normal since the end of February. The same idiotic scripts over and over (really, trying "root" works?), just a lot more frequently.

            I'm going to go out on a limb and think that it might just be related to the current state of global insanity.

            1. Alan Brown Silver badge

              Re: knock, knock.

              More than usual? I used to see thousands of attempts per day in the 1990s/early 2000s

              Throttling and autoblocks are your friend

              1. Missing Semicolon Silver badge

                Re: knock, knock.

                The bad guys know about these.

                My VPS uses fail2ban to cut the attempt rate. I now seem to be the target of a large rotating list of machines, all trying to hack my dovecot/postfix installation, with the round-robin time just longer than my ban duration.

                1. nagyeger

                  Re: knock, knock.

                  Sounds like what you need is a second fail2ban rule that perma-bans them after 2-3 'blocked 123.234.243.123 SSH' entries in your fail2ban log file. (and maybe an extra unblock magic port-knock sequence, just in case some cron-job on your home machine accidentally triggers it.)

                  1. gerdesj Silver badge
                    Windows

                    Re: knock, knock.

                    I am a fan of f2b but it cannot deal with massive botnets. That said, it does deal with a lot of the usual suspects because they don't bother with massively distributed IPs because the majority of their targets don't have f2b or anything like it.

                    f2b is pretty lightweight and keeps the majority of the yobs out. After that you need some funkier stuff.

                    Botnets rely on speed for initial connect so a few seconds delay can cause them to move on or you can be cruel by allowing an initial connect and slowing everything else down. TCP is a three way handshake: SYN, SYN/ACK and LOL. If every mail system popped a three second delay into the SYN/ACK and the final ACK (not LOL really - I'm a fucking comedian) then spam would be abated by roughly the Plank Constant.

                    I basically don't bother with f2b these days but that might change. I do enforce TLS 1.2 or better for my POs. IMAP with TLS and SMTP with STARTTLS and reasonably good passwords.

                    Security is all about evaluating what is happening now. I think I'll be putting f2b back in again quite soon.

              2. heyrick Silver badge

                Re: knock, knock.

                "More than usual?"

                I don't have solid metrics as the log is held in RAM (as in don't bother dropping that crap on the SD card) and I just pull it directly into a text editor and look for keywords, however it seems to be about twice as much as usual.

                I should add: since it's an IPv4 setup, I have set the system to automatically drop any connection from CN, RU, and a few other countries that have spammed the machine, using the free IPdb database (updated when I can be bothered), so these ones don't get logged at all. They might be on the increase too, but life is too short...

          3. Alan Brown Silver badge

            Re: knock, knock.

            "The only exception to this is if the IoT device uses UPnP to knock holes in the firewall and NAT protection that the router provides. But they would be NUTS to open port 22 via UPnP, even if it were possible"

            Consider them NUTS then, because that (and opening via a tunnel ) is more or less what happens to most IOT embedded linux DVR CCTV systems using Xaomai software - aka XM Eye (which is almost every unit shipped out of China using Huawei SoCs regardless of branding or UI)

            Their Sophia binary is spectacularly awful and appears to breach GPL, but it just won't die

            1. Peter Gathercole Silver badge

              Re: knock, knock.

              The reason I said "even if that is possible" is because if the firewall/router uses port 22 itself, it will not be possible for another device to use uPNP to direct that to itself.

              As I understand what happens with most IoT devices is that they open an outbound bidirectional session to a well known server on the internet that becomes the conduit for communication to the IoT device. This is not a route into the IoT device from other servers, although it does rely on the function and security of the system in the Internet. This is not uPNP.

              Similarly, using a VPN tunnel is not uPNP, and relies on additional security like a shared secret of some sort and some cryptography, and it requires an open port from the Internet through the firewall, possibly using uPNP. But this is extremely unlikely to be port 22, unless the tunnel is implemented using SSH, and even then it would not be sensible.

              The reason why it would be nuts is because port 22 is the normal port for SSH connections, so is an obvious port to try to connect for an attack. Most times, uPNP ports that are used are non-privileged ports often numbered over 10,000, so unless the attacker knows the number in advance, the first thing they have to do is a port scan to identify open ports, and then decide on the protocol in use.

          4. vogon00

            Re: knock, knock.

            "But they would be NUTS to open port 22"

            When did that stop people desperate to save a few seconds, or the 'OK, that works, it's fit for Production' crowd?

            I allow SSH/SCP/SFTP 'key authentication only' access to certain partners. however they have to be using a VPN connection I give them and can only connect to what I let them. The VPN service is only accessible from public source addresses approved by me. And yes, the port forward for the VPN service is NOT the 'well known' one for the 'stealthy by design' Wireguard-based* service....

            I totally agree about the current and legacy 'Internet of Shite' devices out there....anyone remember the Mirai botnet that used the well-known 'default password' method as it's initial IV?

            [*] All hail Jason Donenfeld. That said (As he does in the small print, somewhere) you still need a firewall involved. WG has good points and bad points from an ops. POV, but the good ones vastly outweigh the bad ones...for me, anyway.

          5. FlamingDeath Silver badge

            Re: knock, knock.

            People are nuts, you’re giving humans too much credit

            Trying to make things idiot proof is a pointless task because humans are great at creating better forms of stupid

      2. shayneoneill

        Re: The next generation will attempt to port the kernel to Javascript...

        You'd be surprised at how often I come across linux systems where the root password is either the name of the company , the bosses name, or the name of his wife. Sometimes with 1 and an esclamation mark at the end.

        1. General Purpose Silver badge

          Re: The next generation will attempt to port the kernel to Javascript...

          >or the name of his wife. Sometimes with 1 and an esclamation mark at the end.

          That's to indicate she's his first wife. Complete password changes cost alimony.

      3. itzman

        Re: knock, knock.

        I get thousands of root ssh attempts an hour, but root ssh is not enabled. I don't think any other user has been attempted

        1. VoiceOfTruth

          Re: knock, knock.

          This is what I saw in a short time against one machine, users and attempts:

          admin 108

          pi 40

          test 26

          ubuntu 23

          support 21

          ftpuser 21

          hadoop 20

          zimbra 19

          user 18

          postgres 18

          I don't know why I didn't see root. My advice to anyone: do not set up an account called 'admin'. Use anything other than 'admin'.

          1. Alan Brown Silver badge

            Re: knock, knock.

            admin is used by a LOT of embedded devices (especially switches/routers), which is why it's so popular for the skiddies to try

            1. heyrick Silver badge
              Facepalm

              Re: knock, knock.

              Especially the brain-dead combo user "admin" password "admin".

  2. ShadowSystems Silver badge

    Dear Microsoft.

    Before you start crowing about how insecure the competition can be, take a look at your own utterly abysmal track record of fatal security flaws. I'd hazard a guess that everyone else's security screw ups don't measure up to the Olympus Mons of the MS fuck ups in the same time frame.

    I mean, how many times does MS have to release a fix to fix the fix that broke the previous fix? I'm fairly sure that a functioning quality assurance team testing your code before it was allowed past the gates just might, just *might* mind you, go some way into caulking the holes of the security Swiss cheese that is your fortress walls.

    1. werdsmith Silver badge

      Re: Dear Microsoft.

      Before you start crowing about how insecure the competition can be, take a look at your own utterly abysmal track record of fatal security flaws

      Here we go again. Whataboutery of the first order. The massive chip on the shoulders of people who have to make this about OS wars was amusing but seems increasingly emotionally immature.

      Dear Microsoft, Thanks for the help MS, we will address this and be ready for the inevitable next one. Any more help you can give us, will be more than welcome. Because that's how the grown ups operates.

      1. Peter Gathercole Silver badge

        Re: Dear Microsoft.

        I would say that this is nothing to do with OS wars, and more to do with the attitude Microsoft has regarding their position in the market.

        They have shown in the past that they've been prepared to spread FUD to try to dissuade people from using anything other than Windows. I know it came from the Ballmer era, but anybody who doesn't remember the "The Truth About Linux" advertising campaign in the noughties should probably refresh their memories.

        Microsoft have form, and although they've been a little more accepting about Linux recently, the adage is that it is difficult for a leopard to change it's spots.

        So, yes, thank you Microsoft. But please try to give the full context and some comparisons to avoid FUD in future.

        1. VoiceOfTruth

          Re: Dear Microsoft.

          -> who doesn't remember the "The Truth About Linux"

          That works both ways. The Linux mob were claiming that Linux outperformed Windows NT back in 1999. I remember this. I was in the business at the time. Mindcraft did an independent test, and showed that Windows NT outperformed Linux. The penguins booed and hissed and grumbled, and complained about the tests. The tests were unfair, they said. HA HA HA.

          Another test was done. This time there were penguins from Red Hat present. Again Windows NT outperformed Linux. STILL the penguins complained. In a lovely bit sour penguin food, some Linux penguin that although true it was not relevant. HA HA HA.

          You can read more about it here.

          https://www.linuxinsider.com/story/performance-lab-tests-pit-linux-against-windows-nt-709.html

          Eventually Linus Torvalds admitted it and said it should be considered a bug. So great bolshy yarblockos to your own FUD.

    2. Just Enough
      Thumb Down

      Re: Dear Microsoft.

      Pathetic "whataboutism". Defence against things like DDOS attacks requires all agents sharing information. No one is immune or blameless. Finger-pointing like five year olds at school doesn't help anyone.

    3. pavel.petrman Silver badge

      Re: Dear Microsoft.

      Last few years Microsoft is increasingly Linux-based (I would be neither surprised nor annoyed if we were to find out that Wndows 12 ist virtualized over a Linux kernel, or, better, just another Linux shell). From my point of view it is agood thing that they keep an eye on what's going on in the Linux Endpoint world (otherwise Azure would be a much less promissing proposal than it is). Moreover, Microsoft is so big and has so many tentacles hands that it is possible, if not expected, for one hand to have a completely different agency than another. I've seen it it much smaller companies.

      So even though there is much to be excited and annoyed about both Microsoft and Linux-based systems, I wouldn't judge Microsoft this harshly. As long as they publish their numbers and methods, that is.

    4. FlamingDeath Silver badge

      Re: Dear Microsoft.

      Microsoft should just die

      Take Billy ‘no mates’ Gates with you too

  3. Roland6 Silver badge

    Isn't Azure built on Linux?

    Suspect MS are suffering from this since as they say: Microsoft threat researchers say ..."XorDdos depicts the trend of malware increasingly targeting Linux-based operating systems, which are commonly deployed on cloud infrastructures and Internet of Things (IoT) devices,"

    Using Linux is a great way to deflect criticism: the problems MS are experiencing in the Azure cloud infrastructure is not to do with MS (proprietary) software but with Linux...

    1. wub

      Re: Isn't Azure built on Linux?

      I have no personal knowledge of this, sorry, but I learned yesterday that starting with Windows 10, Microsoft is shipping OpenSSH as part of the standard package. It's right there, ready and waiting to be configured and used. No idea what the default configuration is, but this isn't just the client, the server is in there, too.

      So they have potential exposure where ever there's a Windows machine, not just Azure.

  4. steelpillow Silver badge
    Happy

    XorD

    I'll bet you a dollar a dime that XorDos has moved across to SystemD and dropped support for Init and friends.

    Now I can smirk even more broadly every time I boot Devuan.

  5. monkeylite

    Not the most balanced

    Not saying Microsoft are blameless (by a massive margin) but I got the impression that the journalist wasn't even trying to write from a neutral position here..

    1. veti Silver badge

      Re: Not the most balanced

      If you're looking for "neutral" writing, you're on the wrong site.

      Actually, come to think of it, you're probably on the wrong Internet entirely.

  6. VoiceOfTruth

    Ah, the whaddabout from the Linux crowd

    -> But you know what else is equally dangerous as Linux botnets? Windows botnets.

    Absolutely true. But it would be wrong to dismiss a Linux botnet just because it is reported by Microsoft. We typically see numerous web scans on our AWS hosts every day. If at random we pick a couple of source IPs and connect back to port 22 we see often see Ubuntu in the OpenSSH string. Yeah.

    I have been saying this for years and will say it again now. There is a myth that pervades in the Linux so-called community that Linux is 'more secure' than Windows. My view is it can be more secure if you know what you are doing and put that knowledge into practice. But if you use Linux and just believe that Linux is more secure and you can thumb your penguin nose at Windows users you are completely wrong. Your system may well be one of these bots.

  7. Anonymous Coward
    Anonymous Coward

    Microsoft......and "Evangelism Is War".......

    ....so here we go again....

    Link: http://antitrust.slated.org/www.iowaconsumercase.org/011607/3000/PX03096.pdf

    Yup......James Plamondon in 2000.....and now this cr*p from Microsoft twenty two years later!!!

    ......and the beat goes on......Microsoft simply can't change the aggressive culture built by Bill and Steve..................

    1. Anonymous Coward
      1. Anonymous Coward
        Anonymous Coward

        Re: Microsoft......and "Evangelism Is War".......

        @AC

        Thanks for the Computerworld link.......

        ......but it describes Plamondon's comments about something unrelated to his email rant "Evangekism is War". I'd really like to know what he thinks (today) about that rant.

        ......as you can tell, I know what I think about the rant....and what it tells us about Microsoft's culture!

  8. Claptrap314 Silver badge

    Passwords for SSH?

    WAT? Seriously?

    I mean, I guess my logs are telling me that the skiddies are doing it, which strongly implies that there are idiots out there like that, but WHY? Seriously, what benefit is there to typing a password?

    And service accounts (including root) that you can log in as?

    My guess is that it's a 254% increase in honeypots & tarpits...

  9. Boris the Cockroach Silver badge

    Only

    metric to be used is

    Number of attempts against linux systems

    Number of attempts against winblows systems

    Number of successes against Linux

    Number of successes against windblows

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022