Digging for Groundhogs: Holes in Your Linux Server

In July 2015, Check Point’s Incident Response team was contacted by a customer after they noticed strange file system activities occurring in one of their Linux based DNS BIND servers. This strange behavior consisted of a large number of peculiar files being written into sensitive system directories.


A thorough analysis of the infected system by our Incident Response and Malware Research teams quickly revealed that the server was indeed compromised. The source of this compromise was traced to an SSH brute force attack that took place earlier the same month. The attacking IP addresses originated from very distinctive network ranges mostly associated with Chinese Internet service providers. Using this SSH brute-forcing network, it took the attackers only a few days to gain root access and full control of the targeted server.


Download the full version of the report:

Groundhog report



Once they obtained access to the server, the attackers infected the system with two malicious payloads. These payloads were the XOR.DDoS and Groundhog malware variants, which are specifically designed to infect Linux-based hosts and force them to participate in large DDoS (Distributed Denial of Service) attack campaigns. The malware’s effectiveness indicates a major step-up in DDoS related cybercrime capabilities. The code proficiency, together with the fact that the malware infects only Linux servers with potential access to high bandwidth communication channels, may lead to DDoS attacks of as yet unseen proportions and persistency.


While the XOR.DDoS malware was known and previously analyzed, the Groundhog payload had yet to be reported. Our investigation revealed a very strong connection between the two, as they use similar configuration, similar protection methods and similar communication techniques. Deeper analysis of the samples concludes that they are, with a high probability, different modules of the same malware family, and that they were designed and created by the same actor. Our research data shows the attackers had recently switched the networks used for the initial brute force attacks, possibly due to detection and prevention measures taken in recent months. This report summarizes our research efforts and provides a detailed description of the entire campaign including observed infection methods, malware techniques and the payload analysis.


Check Point IPS blade customers are able to protect themselves against the initial SSH brute force attack, this botnet conducts by enabling and properly configuring the IPS protection “Multiple SSH Initial Connection Requests.”

Check Point’s Anti-Virus and Anti-Bot blades offer various signatures to protect Checkpoint’s customers from pre and post infection of this botnet. These signatures are known by the following names:




To read more about this research click here.