The truth about what this malware infects is different

Oct 1, 2015 07:52 GMT  ·  By

Reports have been coming in about a new Trojan malware named XOR DDoS that has been responsible for a number of DDoS attacks in Asia. It's coming from Linux machines, and people are going wild. The truth is somewhat different from what's been published until now.

Malware and viruses are not something common in Linux systems, so when someone announces massive 150+ Gbps DDoS attacks that are coming from Linux machines, you take notice. Users from other platforms are now pointing fingers at Linux saying that it's just as vulnerable as Windows (take a moment here to stop laughing) and that it can cause just as much harm.

DDoS stands for Distributed Denial of Service, and it's actually pretty easy to understand how it works, despite the jargon being used. A number of computers infected with a trojan attack a single target by sending it a lot of data. This is a Denial of Service, and it makes the life of the victim really difficult. In the case of XOR DDoS, the machines they are attacking are running Linux, which begs the question: how exposed are we? The answer is just as simple. We're not, or at least the majority of us are not even vulnerable.

There are always a few

In any given numbers of systems, you will find that some of them are not up to date or that they are very old. And old usually means also vulnerable. Dustin Kirkland, a member of the Ubuntu Product and Strategy team from Canonical, explained why Ubuntu systems are not exposed to this problem and what he said applies to a number of other systems like Fedora, OpenSuSE, Red Hat, and so on.

The XOR DDo malware spreads via Secure Shell (SSH) services susceptible to brute-force attacks due to weak passwords. And that is a dead giveaway about the kind of exposed systems.

"In Ubuntu, we have never in 11 years asked a user to set a root password by default, and as of Ubuntu 14.04 LTS, we now explicitly disable root password logins over SSH. Any Ubuntu machine that might be susceptible to this XOS.DDoS attack, is in a very small minority of the millions of Ubuntu systems in the world," said Dustin.

So, in order for your Ubuntu (or any other Linux distro) to even become exposed to this malware, you will have to also have SSH root password authentication, a root password, and that password needs to be so simple that it can be revealed by a brute force attack. It's highly unlikely.

To make things even easier, ClamAV is a free antivirus program that can easily remove the XOS DDoS. So, next time Akamai says something that seems to be apocalyptic about Linux systems being infected, make sure that you have all the facts before getting worried.