A recent report by security firm CrowdStrike shows that malware targeting the Linux operating system (often deployed in IoT devices) has surged by 35 percent in the past 2021. Among them, the three malware "families" of XorDDoS, Mirai and Mozi account for 22% of all malware in Linux-based IoT systems.
2021: 35% of new malware targets Linux systems
In 2021, XorDDoS, MiaI, and Mozi as Linux-based malware surged 35% compared to 2020. Among these malware samples, XorDDoS malware samples have increased by 123% compared to 2020, and the number of Mozi has also increased by 10 times compared to the previous year.
The main purpose of the malware is to compromise vulnerable internet-connected devices, aggregate them into "botnets" and use them to carry out distributed denial of service (DDoS) attacks.
One of the malware, XorDDoS, is a Linux Trojan that gets its name from the use of XOR encryption for C2 infrastructure in malware and network communications. The software is compiled for various Linux architectures from ARM to x86 and x64. When targeting IoT devices, Trojans are known to use SSH brute force attacks to remotely control vulnerable devices.
On Linux machines, some variants of XorDDoS show its operator scanning and searching for Docker servers with port 2375 open. This port provides unencrypted Docker sockets and remote root passwordless access to the host, which can be exploited by an attacker to gain root access to the machine.
Mirai malware quickly became popular after its developers released the Mirai source code, and several Mirai variants emerged. Similar to Mozi, Mirai abuses weak protocols and weak ciphers (such as Telnet) to compromise devices through brute force attacks.
Some of the most common variants tracked by CrowdStrike researchers previously included Sora, IZIH9, and Rekai. Compared with 2020, the number of three variant samples in the sample has increased by 33%, 39% and 83% respectively in 2021. The core part of the Linux Trojan also shares the same Mirai DNA.
Mozi is a peer-to-peer (P2P) botnet that uses a distributed hash table (DHT) system to implement its own extended DHT. The distributed decentralized lookup mechanism provided by DHT allows Mozi to hide C2 traffic behind a large amount of legitimate DHT traffic, and DHT allows Mozi to rapidly develop a P2P network. Also, it is more difficult to detect C2 traffic since it uses an extension on the DHT, independent of normal traffic.
Linux and IoT-based malware 'flood'
As the power provider for most of today's cloud infrastructure and web servers, Linux is also powering mobile and Internet of Things (IoT) devices. With its advantages such as scalability, security features, and a wide range of distributions, Linux supports a variety of hardware designs and provides excellent performance on any hardware requirement.
As various Linux builds and distributions lie at the heart of cloud infrastructure, mobile, and IoT, they also present a huge opportunity for cyber threat actors. For example, IoT devices running Linux, whether using hard-coded credentials, open ports, or unpatched vulnerabilities, are less accessible to threat actors, while their overall compromise can threaten the integrity of critical Internet services. sex.
More than 30 billion IoT devices are expected to be connected to the Internet by the end of 2025, creating a potentially huge attack surface for cyber threat actors and cybercriminals to create massive "botnets".
A "botnet" is a network of compromised devices connected to a remote command and control (C2) center that acts as a cog in a larger network and can potentially infect other devices. "Botnets" are commonly used for DDoS attacks, spamming targets, gaining remote control, and performing CPU-intensive activities such as crypto mining. DDoS attacks use multiple internet-connected devices to access a specific service or gateway, causing it to crash by blocking legitimate traffic by consuming the entire bandwidth.
The "Mirai botnet" incident in 2016 was a reminder that a DDoS attack carried out by a large number of seemingly benign devices could disrupt critical Internet services, affecting organizations and ordinary users. Today, these floods of malware may become the biggest threat to Linux today.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。