"Unlike typical straightforward DDoS bots, XOR.DDoS is one of the more sophisticated malware families to target the Linux OS," the FireEye researchers said. "It's also multi-platform, with C/C++ source code that can be compiled to target x86, ARM and other platforms."
XOR.DDoS can also download and execute arbitrary binary files, which gives it the ability to update itself. FireEye observed two major versions of XOR.DDoS so far, the second one being first spotted at the end of December.
Networking and embedded devices are more likely to be vulnerable to SSH brute force attacks and it might not be possible for end-users to easily protect them, the FireEye researchers said.
There are many embedded devices that are configured for remote administration and are accessible over the Internet. In 2012, an anonymous researcher was able to hijack 420,000 such devices that had default or no telnet login passwords. He used them to scan the entire Internet as part of a research project that became known as the Internet Census 2012.
The number of devices that are accessible via SSH and use weak passwords that would be vulnerable to complex brute-force attacks like the ones used by the XOR.DDoS gang, is likely to be much higher.
If possible, the SSH servers on these devices should be configured to use cryptographic keys instead of passwords for authentication and remote login should be disabled for their root accounts, the FireEye researchers said. "Home and small business users can install the open source fail2ban utility, which works with iptables to detect and block brute force attacks."
Sign up for Computerworld eNewsletters.