New ShellBot DDoS Malware Variants Targeting Poorly Managed Linux Servers


A new campaign is deploying various versions of a malware called ShellBot, which is aiming to attack Linux SSH servers that are poorly managed.

According to a report by AhnLab Security Emergency Response Center (ASEC), ShellBot, which is sometimes referred to as PerlBot, is a type of malware that performs DDoS attacks. Created using the programming language Perl, ShellBot commonly utilizes IRC protocol in its communication with the C&C server.

The ShellBot malware is put on servers that have easily guessable login information, but this only happens after cyber attackers use a tool to search for computers that have the SSH port 22 available.

To hack the server, attackers employ a method called dictionary attack, in which they use a set of identified SSH login credentials. Once a successful breach occurs, they send across their malicious code or payload. In order to communicate with another remote host, they leverage the IRC (Internet Relay Chat) protocol.

This refers to ShellBot's capacity to follow orders and perpetrate DDoS attacks and take out gathered data.

According to ASEC, there are three ShellBot versions that have been found: LiGhT's Modded perlbot v2, DDoS PBot v2.0 and PowerBots (C) GohacK. The first two types enable different DDoS attack options using HTTP, TCP and UDP protocols.

On the contrary, PowerBots provides additional features that work like backdoors, enabling reverse shell access and permitting the uploading of random files from the affected host.

The results were discovered about 90 days after the deployment of ShellBot in assaults that targeted Linux servers and disseminated digital currency miners through a program that compiles shell scripts.

ASEC reported that if ShellBot is installed, Linux servers can serve as DDoS Bots for launching DDoS attacks against particular targets upon receiving a command from the perpetrator. Additionally, the perpetrator may also use other backdoor functionalities to install more malware or carry out various other kinds of attacks. Obtained from the server that was infiltrated.

Microsoft has recently disclosed that there has been a boost in Distributed Denial of Service (DDoS) attacks directed towards healthcare organizations hosted in Azure. The number of such attacks has been reported to have increased gradually, surging from 10-20 attacks in November 2022 to nearly double the amount at 40-60 attacks per day by February 2023.

Post a Comment

Previous Post Next Post