Aesddos is a trojan that extends the core functionality provided by MrBlack with C&C communication encrypted with AES. Persistence is realized at the beginning of the execution in the autoboot procedure by stream editing the files /etc/init.d/boot.local (AS1) and /etc/rc.local (AS3). The attack itself is performed via two main threads, backdoorA and backdoorM. The trojan supports the same Linux architectures as MrBlack, but the EM_ x86_64 variant was not observed. A detailed analysis of the MIPS variant is provided by M.J. Bohio .
This is another trojan subfamily that strongly resembles Aesddos, with two main threads called DoubleDoMain1 and DoubleDoMain2. Its name is derived from the thread AttackWorker, which is responsible for calling the DealwithDDoS subroutine with appropriate parameters. Autostart is achieved using the insert_reboot procedure and is based on the same principle as in the case of Aesddos. The already_running procedure checks that the process is the only instance of the trojan, and the test is done by locking the file /var/run/dos32.pid. The configuration file dosset.dtdb is an additional IoC.
This cluster was first discovered in September 2014  and later reported multiple times [16, 17, 18]. Its infection vector starts with SSH brute force attacks for the sake of running an installation script under the root user. The script customizes the installation process and contains procedures like main, check, compiler, uncompress, setup, generate, upload, checkbuild, etc. and variables like __host_32__, __host_64__, __kernel__, __remote__, etc. Three requests are issued to hard-coded C&C servers: the initial GET with anMD5-hashed string containing the name of the kernel version; a GET query with the parameters of a customized binary such as rootkit version and a list of the bot's C&Cs; and the final GET request of a compiled binary. The rootkit component with a complicated server-assisted installation is where Xorddos differs from all the other Linux trojans. Due to the nature of the Linux operating system, knowledge of kernel headers is crucial for loading any kernel module in the victim's machine. In case the hash of the kernel version is unknown to the server, the system's kernel headers are uploaded via a custom uploader and a new rootkit-equipped trojan can be delivered. The rootkit component is based on the open-source Suterusu rootkit, which is also available on Github .
Regarding the volume of attacks, the reports  and  state peaks of 30.10 Gbps/6.75 Mpps for Iptablesx respectively, with 70 Gbps/28 Mpps for MrBlack. A DDoS attack performed by one victim of Xorddos reported in  lasted three hours and the amount of data averaged 6.63 Mbps/70 Kbps.
By knowing the communication protocol and the command grammar it is possible to harmlessly monitor the C&C activity and to log the targets of DDoS attacks. This was applied by a series of Python scripts for the Elknot/Setag family . We have tried a similar approach for the Xorddos family. Among the observed victims were especially online gaming sites, e-commerce shops, online casinos, etc., all of which belonged to Chinese, American or Canadian IP ranges. These services had both the nature of small or medium-sized local businesses and services with a huge anti-DDoS infrastructure. The success of a flooding attack on the unprotected ones was directly observed in terms of the unreachability of a service shortly after the attack command had been issued. 041b061a72