Linux botnet has been discovered on Tuesday by Security Intelligence Response Team (working under Akamai) which is capable of sending more than 150 Gbps of DDoS traffic.
Linux botnet is spread via Asian XOR DDoS Trojan, hiding in an embedded rootkit. At first attacker tries to brute force SSH of the root user and in case of success gains root access and install the Trojan using a simple shell script. The script itself comprises following procedures: main, check, compiler, uncompress, setup, generate,upload, checkbuild and also variables similar to __host_32__, __host_64__, __kernel__, __remote__, etc.The main process is used to decrypt and select the C&C server based on the architecture of the system.
XOR DDoS is not a newly discovered malware and cyber security researchers have known about it since the last year. However, the botnet based on XOR DDoS is a new fruit.
Akamai has analyzed the Linux botnet activity and found out that it strikes about 21 per day and aims for taking down educational and also gaming websites in Asia. The most amazing part is that the botnet is capable of delivering a power of more than 150 Gps of traffic every minute, while an average size of global DDoS attacks is no more than 10Gpbs.
It is an interesting phenomenon that Linux was considered as the most secure operating system, however since many companies switch from Windows to Linux the number of vulnerabilities in Linux has grown drastically.