‘Groundhog’ Botnet Infects Hundreds Per Day and Increasing
Discovered in early 2015, the ‘Groundhog’ DDOS botnet began its spread using SSH brute force attacks. Researchers at Lacework believe that the botnet is rapidly expanding, with infection rates above one hundred new infections per day and has infects at least 26,000 servers to date. Many of these infections were found to be within Brazil, US, and India, and include clusters of cloud infrastructure from major providers such as GCP, Azure, and Amazon.
The Groundhog botnet is composed of two closely related malware variants known as XOR.DDOS and Groundhog.
XOR.DDOS is a Distributed Denial of Service (DDoS) capable Linux-based malware with the ability to perform related tasks such as SYN/ACK flood and DNS amplification. It also includes additional functionality such as the ability to download other malware, perform system reconnaissance, and terminate running processes in an attempt to remain hidden and escape from sandbox environments.
It’s also interesting to note that the built-in configurations of XOR.DDOS contains a list of processes and IPS to connections to kill that belong to other malware. This is an attempt to compete against rival cryptojackers and gain cyber ‘real-estate’.
In 2015, researchers at Checkpoint reported that Groundhog/XOR.DDOS infections were preceded by SSH brute force attacks, suggesting that these SSH attacks were the botnet’s main propagation method. However, the XOR.DDOS malware is not bundled with any propagation module, so the SSH brute-forcing attacks remain circumstantial at best, and there are likely other mechanisms in place to spread the malware. It’s true that botnets remain the most effective system for brute force campaigns since the larger they are, the more resistant they become to blacklisting countermeasures. This is especially true with Groundhog due to the small overlap between botnet IPS and brute force lists.
Further Reading: