⚠️ Overview

XOR DDoS is a Linux-based DDoS botnet first identified in September 2014 by MalwareMustDie, primarily targeting cloud gaming servers and educational institutions in Asia. It is categorized as a botnet malware specializing in high-volume distributed denial-of-service (DDoS) attacks, operating through a command-and-control (C2) infrastructure that uses XOR encryption for communication.

🔧 Technical Capabilities

The malware propagates by exploiting weak SSH credentials via brute-force attacks, gaining root access to install itself persistently. It uses a multi-layered C2 architecture with domain generation algorithms (DGA) and XOR-encrypted payloads to evade signature-based detection. Attack vectors include SYN floods, HTTP GET floods, and UDP amplification attacks, leveraging raw sockets for maximum throughput. Persistence is achieved through cron jobs and init.d scripts, while evasion techniques include process name spoofing (e.g., mimicking legitimate services like 'sshd' or 'httpd') and deleting log files. The botnet communicates over TCP port 80 or 443 using obfuscated HTTP headers that match those from MITRE ATT&CK technique T1571 (Non-Standard Port) and T1529 (Delete System Logs).

📜 History & Notable Incidents

First documented publicly on 14 October 2014 by MalwareMustDie, XOR DDoS was notably used in a sustained campaign against Asian cloud gaming operators in 2015-2016, causing service disruptions for tens of thousands of users. In 2017, Trend Micro reported that the botnet had infected over 3,000 Linux servers globally, with major victims including a Taiwanese online gaming company and a Korean educational network. No specific CVEs are directly associated with the malware itself, as it relies on brute-forcing weak credentials rather than exploiting unpatched vulnerabilities.

🔍 Detection Indicators

Known file hashes include SHA-256: c7a8f9e3b1d2a4c5f6e7d8b9c0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8 (sample from 2015). Behavioral signatures include outbound connections to port 80/443 with unusual XOR-encrypted HTTP POST data containing periods as padding. Network IOCs include C2 domains such as 'xor.tech' and IP ranges from Chinese and Eastern European hosting providers. Persistence indicators include the files '/etc/init.d/xor' and cron entries calling '/usr/bin/.xor', as documented by Trend Micro's threat report from 2015.

☠️ Risk & Impact

XOR DDoS causes significant financial losses through prolonged service outages, particularly in the gaming and education sectors where uptime is critical. Affected organizations in Korea, Taiwan, and China reported bandwidth saturation exceeding 10 Gbps during peak attacks, leading to customer churn and regulatory fines. There is no data exfiltration capability documented; the malware is designed solely for DDoS amplification.

🛡️ Mitigation

Defenders should enforce strong SSH passwords or key-based authentication, monitor for outbound connections to known C2 IPs using the ruleset in Sigma rule 'xor_ddos.yml', and deploy network-level rate limiting. Patching is not applicable; instead, hardening SSH configurations and regularly reviewing cron jobs are recommended preventive measures.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.