XORDDoS and Kaiji DDoS botnets target internet exposed Docker servers

XORDDoS and Kaiji DDoS botnets target internet exposed Docker servers

Security experts warn malware variants of XORDDoS and Kaiji distributed denial-of-service (DDoS) botnets are targeting exposed Docker servers.

Researchers from Trend Micro recently detected variants of two existing Linux botnet malware types — XORDDoS malware and Kaiji DDoS malware.

Each of these botnets target vulnerable, exposed Docker servers, but use different methods of DDoS attacks.

For instance, XORDDoS targets a Docker server and then infects all of the containers hosted on the server. In contrast, Kaji will deploy its own container that will host DDoS malware.

Both of them, however, have the same nefarious objective.

“These malware variants facilitate distributed denial of service (DDoS), a type of attack designed to disable, disrupt, or shut down a network, website, or service. This is done by using multiple systems to overwhelm the target system with traffic until it becomes inaccessible to other users,” Trend Micro warned in a blog post.

XORDDoS malware

According to Trend Micro, XORDDoS first searches for hosts with an exposed Docker API port 2375. The malware will then send a command to list all of the containers hosted on the Docker system.

The attackers then execute a sequence of commands, infecting all of the containers with XORDDoS malware. Each of the payloads will initiate SYN, ACK and DNS types of DDoS attacks.

Furthermore, attackers behind XORDDoS also has some links to a variant of Dofloo/AESDDoS Linux botnet malware, which also previously targeted exposed Docker APIs.

Kaiji malware

Similar to XORDDoS, Kaiji also targets exposed Docker systems in order to launch DDoS attacks.

After scanning for exposed 2375 ports on Docker hosts, Kaiji then deploys a “rogue ARM container” that executes the Kaiji binary.

Next, a script “123.sh” downloads and executes a malware payload “linux_arm,” which is the Kaiji DDoS malware.

The Kaiji will then launch the following types of DDoS cyber attacks:

  • ACK
  • IPS spoof
  • SSH
  • SYN
  • TCP flood
  • UDP flood attacks.

Docker server safeguards

In conclusion, Trend Micro offers a number of good safeguards to Defend Docker servers.

  • Lock down and secure the Docker container host OS.
  • Leverage monitoring tools for hardening and deviations to OS configurations.
  • Secure the networking environment, such as using intrusion prevention system (IPS) and web filtering.
  • Lock down the management stack, to include container registry and the Kubernetes installation.
  • Secure the build pipeline used to deploy Docker containers and code updates.

Organizations should also leverage Docker security best practices. Readers can also check out previous article What Are Application Containers And How Do I Secure Them? (that include NIST best practice guidance on container security).

Related Articles