The activity of the Linux XorDdos bot increased by 254% over the last six months

Pierluigi Paganini May 20, 2022

Microsoft researchers have observed a spike in the activity of the Linux bot XorDdos over the last six months.

XORDDoS, also known as XOR.DDoS, first appeared in the threat landscape in 2014 it is a Linux Botnet that was employed in attacks against gaming and education websites with massive DDoS attacks that reached 150 gigabytes per second of malicious traffic.

XorDdos leverages persistence mechanisms, efficient evasion, and anti-forensic techniques, including obfuscating the malware’s activities, evading rule-based detection mechanisms, and hash-based malicious file lookup.

Microsoft experts observed in the last six months a 254% increase in the activity associated with XorDdos.


XorDdos spreads primarily via SSH brute force, it uses a shell script to try credential combinations across thousands of servers.

Microsoft experts determined two of XorDdos’ methods for initial access to the target systems, the first method copies a malicious ELF file to temporary file storage /dev/shm and then executing it, while the second one involves the execution of a bash script that performs a sequence of activities via the command line.

XorDdos uses various persistence mechanisms to support different Linux distributions, including init and cron scripts, setting a system’s default runlevel, and using symlinks they point to the scripts that should run at the specified runlevel.

“XorDdos’ modular nature provides attackers with a versatile trojan capable of infecting a variety of Linux system architectures. Its SSH brute force attacks are a relatively simple yet effective technique for gaining root access over a number of potential targets.” concludes the report. “Adept at stealing sensitive data, installing a rootkit device, using various evasion and persistence mechanisms, and performing DDoS attacks, XorDdos enables adversaries to create potentially significant disruptions on target systems. Moreover, XorDdos may be used to bring in other dangerous threats or to provide a vector for follow-on activities.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit:

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, domain name system)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment