New XORDDoS, Kaiji DDoS botnet variants target Docker servers

Operators behind XORDDoS and Kaiji DDoS botnets recently started targeting Docker servers exposed online, Trend Micro warns.

Trend Micro researchers reported that operators behind XORDDoS and Kaiji DDoS botnets recently started targeting Docker servers exposed online.

XORDDoS, also known as XOR.DDoS, first appeared in the threat landscape in 2014 it is a Linux Botnet that was employed in attacks against gaming and education websites with massive DDoS attacks that reached 150 gigabytes per second of malicious traffic.

The Kaiji botnet was discovered by security researcher MalwareMustDie and the experts at Intezer Labs in April while it was targeting Linux-based IoT devices via SSH brute-force attacks.

According to the experts, both threats are linked to China, the variants recently spotted by Trend Micro has recently also targeted Docker servers.

“We have recently detected variants of two existing Linux botnet malware types targeting exposed Docker servers; these are XORDDoS malware (detected by Trend Micro as Backdoor.Linux.XORDDOS.AE) and Kaiji DDoS malware (detected by Trend Micro as DDoS.Linux.KAIJI.A).” reads the analysis published by Trend Micro.

Botnet operators are looking for Docker servers that expose port 2375, which is one of the two ports of the Docker API and it’s used for unauthenticated and unencrypted communications.

Experts pointed out that there is a notable difference between the attack methods implemented by the two malware variants. While the XORDDoS bot infects all the containers hosted on the Docker server, the Kaiji bot deploys the DDoS malware in its own container.

Upon compromising a Docker server, XORDDoS will run a sequence of commands to identify containers and infect them with the DDoS malware. The malware can also gather information about the compromised system, and it can download and execute other payloads.

While investigating the URL linked to the attacker, experts discovered other malware such as Backdoor.Linux.DOFLOO.AB targeting Docker containers.

Operators of the Kaiji bot scan the web for exposed Docker servers and deploy an ARM container that executed its binary. Researchers discovered that operators leverage on a script to download and execute the main payload, and to remove Linux binaries that are basic components of the operating system but are not necessary for its DDoS operation.

Kaiji is also able to collect information about the compromised system, and of course to launch various types of DDoS attacks, including ACK, IPS spoof, SSH, SYN, SYNACK, TCP and UDP attacks.

Trend Micro provides the following recommendations for security Docker servers:

• Secure the container host. Take advantage of monitoring tools, and host containers in a container-focused OS.
• Secure the networking environment. Use intrusion prevention system (IPS) and web filtering to provide visibility and observe internal and external traffic.
• Secure the management stack. Monitor and secure the container registry and lock down the Kubernetes installation.
• Secure the build pipeline. Implement a thorough and consistent access control scheme and install strong endpoint controls.
• Adhere to the recommended best practices.
• Use security tools to scan and secure containers.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Docker)

[adrotate banner=”5″]

[adrotate banner=”13″]