Linux powers most of today’s cloud infrastructure and web servers, as well as mobile and IoT devices. In a newly released report, security firm CrowdStrike notes that malware targeting Linux-based operating systems typically deployed in Internet of Things (IoT) devices increases by 35 percent in 2021 compared to 2020, with the top three malware families accounting for 22 percent of all Linux-based IoT malware in 2021.

  • 35% increase in malware targeting Linux systems in 2021 compared to 2020
  • XorDDoS, Mirai and Mozi malware families account for more than 22% of the threats targeting Linux observed by CrowdStrike in 2021
  • 10x increase in the number of Mozi malware samples observed in 2021 compared to 2020

XorDDoS, Mirai and Mozi are the most prevalent Linux-based malware families observed by CrowdStrike in 2021. The primary purpose of these malware families is to compromise vulnerable Internet-connected devices, aggregate them into botnets, and use them to conduct distributed denial-of-service (DDoS) attacks.

One of them, XorDDoS, is a Linux Trojan compiled for a wide range of Linux architectures, from ARM to x86 and x64. It gets its name from the use of XOR encryption to C2 infrastructure in malware and network communications. When targeting IoT devices, the Trojan is known to use SSH brute force attacks to remotely control vulnerable devices.

image

On Linux machines, some variants of XorDDoS show their operators scanning and searching for Docker servers open on port 2375. This port provides an unencrypted Docker socket and remote root-less access to the host, which an attacker could abuse to gain root access to the machine.

CrowdStrike researchers found that the number of XorDDoS malware samples increased by nearly 123% throughout 2021 compared to 2020.

image

Mozi is a peer-to-peer (P2P) botnet that uses the Distributed Hash Table (DHT) system to implement its own extended DHT. the distributed decentralised lookup mechanism provided by the DHT allows Mozi to hide C2 traffic behind a large amount of legitimate DHT traffic. the DHT allows Mozi to rapidly grow a P2P network. Furthermore, because it uses an extension on the DHT, it is not associated with normal traffic, making it more difficult to detect C2 traffic.

image

Mozi infects systems by brute-forcing SSH and Telnet ports. It then blocks these ports so that they are not overwritten by other malicious actors or malware.

image

The Mirai malware has gained notoriety over the past few years, especially after its developers released the Mirai source code. Similar to Mozi, Mirai abuses weak protocols and weak passwords (e.g. Telnet) to compromise devices through brute-force attacks.

Since the source code was made public, several Mirai variants have emerged, and this Linux Trojan can be considered the common ancestor of much of today’s Linux DDoS malware. While most variants add to existing Mirai functionality or implement different communication protocols; at their core, they share the same Mirai DNA.

Some of the most popular variants tracked by CrowdStrike researchers involve Sora, IZIH9 and Rekai. the number of identified samples for all three variants has increased by 33%, 39% and 83% respectively in 2021 compared to 2020.

image