Crowdstike‘s report shows that Linux-targated malware increased by 35% in 2021, compared to the previous year. Linux is used in most web servers, cloud infrastructure, mobile, and IoT devices. Linux’s growing popularity attracts hackers. CrowdStrike threat telemetry also states that the top three malware families accounted for 22% of all Linux-based IoT malware in 2021.
XorDDoS, Mirai, and Mozi
Mozi, a P2P botnet network, became 10 times more prevalent in 2021.
XorDDoS, Mirai, and Mozi are the most prevalent Linux-based malware families observed in 2021. The purpose of these malware families is to compromise devices, amass them into botnets, and use them to perform DDoS attacks.
XorDDoS is a trojan that targets multiple Linux architectures, ranging from ARM to x86 and x64. The name derives from XOR encryption. The trojan targets IoT devices by using SSH brute-forcing attacks to gain remote control on vulnerable devices.
Mozi, which became 10 times more prevalent in 2021, is a P2P botnet network. It uses the distributed hash table system, implementing its own extended DHT. Its distributed and decentralized lookup mechanism allows Mozi to hide C2 behind a large amount of DHT traffic.
Mirai became very popular after its source code was published by its developer. Like Mozi, it abuses weak protocols and weak passwords to compromise devices using brute-forcing attacks. The trojan is the common ancestor of many Linux DDoS malware.