At the end of September 2014, MalwareMustDie discovered XorDDoS, which builds a botnet that can be used for launching DDoS attacks. The main characteristic of the XorDDoS family is that it compromises the target host by brute-force guessing against weak SSH passwords and executes corresponding shell scripts to install the XorDDoS malware family and malicious RootKit for host infection.

Up to now, the widespread XorDDoS variant no longer provides the RootKit capability coming with its original version as it has had this malware removed.

Technical Details


pon startup, XorDDoS runs by creating subprocesses and corresponding daemons. During the initial running, XorDDoS copies the original virus file to the directory with the highest privileges before deleting it. At the same time, XorDDoS generates a great number of malicious programs with random names in the directory by reading its own file content. This makes the system administrator unable to locate all files, thus improving the survival probability. In addition, XorDDoS has very good anti-defense capabilities by hiding the corresponding port number of each IP address by means of the RootKit technique.

Technical Analysis

At the initial phase of running, XorDDoS first sets the value of the environment variable, PATH, as follows:


The purpose is to ensure that its program can properly implement subsequent functions.

The sample decrypts data using the built-in XOR-key: BB2FA36AAA9541F0.

In this way, XorDDoS obtains the C&C and port information ww.s*** Note that the parsed address here may not be the actual C&C address used for command interaction.

The sample modifies the file content, changes the file name, and generates multiple virus files with different MD5 values. Then it copies these virus files to separate directories, executes them repeatedly, and creates multiple demons at the same time.

It creates create scripts for the auto start item, so that the virus can automatically run upon restart.

After initializing the automatic startup item, the virus, through decryption, recovers the actual C&C address used for command controls and its backup address from the virus file.

The virus creates three threads for subsequent attack steps: threads 1 and 3 of which kill all processes generated by XorDDoS; thread 2 (called the “main thread” hereinafter) receives and executes remote control commands.

The virus in the main thread will connect to the actual C&C server and sends it the information about the CPU, memory, disk files, and network quality collected from infected machines. It encrypts the data with the XOR-key before sending them. To ensure data integrity, it fills the CRC32 value of the data in the first four bytes in the packets to be sent.

The following presents technical information about the virus’s interaction with the server.

The virus first obtains a MAGIC string, bpujggltsmihjflqnyvcrzzydtsurpcs, and calculates the CRC32 value of the array [0,0×110,0,0,0,0,0] before obtaining computer information and sendingcrafted packets.

The first packet contains the CRC32 value of 0x1C bytes.

The format of the second packet is as follows:

Start Address Size Meaning
0x0 0x4 Memory information
0x4 0x8 NIC speed
0x8 0xC Whether LVM_rootkit is installed
0xC 0x41 Release information (system)
0x4D 0x41 machine
0x8E 0x40 cpuid
0xCE 0x21 magic_string
0xEF 0x10 “STATIC”
0xFF 0x10 “2.02”

The first received packet is a packet that contains the CRC32 value of 0x1C bytes.

The third sent packet is a UDP packet filled with invalid characters.

The second received packet is 0x1C byte.

CRC next_len_recv command taskgroupnum reserve
0x4 0x4 0x4 0x4 0xC

The length of the third received packet is specified by len_recv received last time.

The following table lists received commands:

Command Received Content Next Time Meaning
0x2 None Stopping DDoS and Keepalive packets
0x3 Attack target and type DDoS
0x6 HTTP link File download
0x7 HTTP link File download and execution (update)
0x8 HTTP link Uploading the MD5 value of the file to be executed and POST requests
0x9 HTTP link Downloading the configuration file

Command 0x9 exists in thread 3, whose code is exactly that in the main thread.

The third received data is a packet that contains an attack target. Every 0x114 bytes compose a unit. The format is as follows:

Start Address Length Meaning
0x0 0x4(unsigned int) IP address of the attack target (target_ip)
0x4 0x2(unsigned short) Target port (target_port)
0x108 0x4(int) Attack type (sub_code)
0x10C 0x4(int) Whether the local IP address is used (fake_ip)

1 indicates that a random IP address is used.

0x110 0x4 Packet size

The following table lists the attack types.

Type No. Parameter
DNS(UDP) 0x4 domain
SYN 0x5 IP



The packet contains information about the attack target. This packet have the same content from the 0x6 byte as the above mentioned packet with 0x114 bytes as a unit.

Start Address Length Meaning
0x6 Not fixed and cannot exceed 0x100 characters Domain address


Most versions of the XorDDoS family spread in the Chinese mainland have had RootKit removed, whose hazards are weaker than those of earlier versions. However, attackers provide persistent residing means and some tricks, making it difficult for the system administrator to kill viruses. This, to some extent, increases the survival rate of viruses.

In addition, during the interaction with the C2 server, XorDDoS sends encrypted data, which is hard to detect and discover. This is to make trouble for analysts.

Note that XorDDoS can hide traffic only by changing the XOR-key. Therefore, to discover this virus, we should detect characteristics of the network traffic, instead of specific traffic contents.

Leave a Reply

Your email address will not be published. Required fields are marked *