Linux-based systems are everywhere and are a core part of the internet infrastructure but it’s low-powered Internet of Things (IoT) devices that have become the main target for Linux malware.
With billions of internet-connected devices like cars, fridges and network devices online, IoT devices have become a prime target for certain malware activity — namely distributed denial of service (DDoS) attacks, where junk traffic aim to flood a target and knock them offline.
Security vendor CrowdStrike says in a new report that the most prevalent Linux-based malware families in 2021 were XorDDoS, Mirai and Mozi, which collectively accounted for 22% of all Linux-based IoT malware that year. These were also a main driver of malware targeting all Linux-based systems, which grew 35% in 2021 compared with 2020.
Mozi, which emerged in 2019, is a peer-to-peer botnet that uses the distributed hash table (DHT) — a lookup system — and relies on weak Telnet passwords and known vulnerabilities to target networking devices, IoT, and video recorders, among other internet-connected products. The use of DHT allows Mozi to hide its command and control communication behind legitimate DHT traffic. There were 10 times more Mozi samples in 2021 compared to 2021, Crowdstrike notes.
XorDDoS, a Linux botnet for large scale DDoS attacks, has been around since at least 2014 and scans the net for Linux servers with SSH servers that aren’t protected with a strong password or encryption keys. It attempts to guess the password to give attackers remote control over the device.
More recently, XorDDoS began targeting misconfigured Docker clusters in the cloud rather than its historical targets such as routers and internet-connected smart devices. Docker containers are attractive for cryptocurrency mining malware because they provide more bandwidth, CPU and memory but DDoS malware benefits from IoT devices because they provide more network protocols to abuse. However, since many IoT devices are already infected, Docker clusters became an alternative target.
According to CrowdStrike, some XorDDoS variants are built to scan and search for Docker servers with the 2375 port open, offering an unencrypted Docker socket and remote root passwordless access to the host. This can give the attacker root access to the machine.
XorDDoS malware samples have increased by almost 123% in 2021 compared to 2020, according to the firm.
Mirai also spreads by targeting Linux servers with weak passwords. The most prevalent Mirai variants today include Sora, IZIH9 and Rekai, which increased in new sample counts by 33%, 39% and 83% respectively in 2021, according to CrowdStrike.