New ShellBot bot targets poorly managed Linux SSH Servers

New
ShellBot
DDoS
bot
malware,
aka PerlBot,
is
targeting
poorly
managed
Linux
SSH
servers,
ASEC
researchers
warn.

New ShellBot bot targets poorly managed Linux SSH Servers

New
ShellBot
DDoS
bot
malware,
aka PerlBot,
is
targeting
poorly
managed
Linux
SSH
servers,
ASEC
researchers
warn.

AhnLab
Security
Emergency
response
Center
(ASEC) discovered
a
new
variant
of
the

ShellBot

malware
that
was
employed
in
a
campaign
that
targets
poorly
managed
Linux
SSH
servers.

The

ShellBot
,
also
known
as PerlBot,
is
a
Perl-based
DDoS
bot
that
uses
IRC
protocol
for
C2
communications.

The
ShellBot
performs
SSH
bruteforce
attacks
on
servers
that
have
port
22
open,
it
uses
a
dictionary
containing
a
list
of
known
SSH
credentials.


“The
ShellBot
malware
strains
that
are
going
to
be
covered
in
this
post
are
believed
to
have
been
installed
after
threat
actors
used
account
credentials
that
have
been
obtained
through
the
use
of
scanners
and
SSH
BruteForce
malware
on
target
systems.”


reads
the
ASEC’s
report
.
“After
scanning
systems
that
have
operational
port
22s,
threat
actors
search
for
systems
where
the
SSH
service
is
active
and
uses
a
list
of
commonly
used
SSH
account
credentials
to
initiate
their
dictionary
attack.”

Below
is
a
list
of
the
account
credentials
used
by
ShellBot
operators
to
compromise
the
target
servers:

User Password
deploy password
hadoop hadoop
oracle oracle
root 11111
root Passw0rd
ttx ttx2011
ubnt ubnt

The
researchers
categorized
the
ShellBot
into
three
different
groups
since
threat
actors
can
create
their
own
versions:
LiGhT’s
Modded
perlbot
v2,
DDoS
PBot
v2.0,
and
PowerBots
(C)
GohacK.

LiGhT’s
Modded
perlbot
v2
and
DDoS
PBot
v2.0
supports
multiple
DDoS
attack
commands
using
HTTP,
TCP,
and
UDP
protocols.
The
PowerBots
(C)
GohacK
supports
backdoor
features,
including
reverse
shell
and
file
downloading
capabilities.

The
researchers
recommend
using
strong
passwords
for
admin
accounts
and
changing
them
periodically
to
protect
the
Linux
server
from
brute
force
attacks
and
dictionary
attacks.
They
also
recommend
keeping
the
servers
up
to
date
and
using
security
programs.


“If
ShellBot
is
installed,
Linux
servers
can
be
used
as
DDoS
Bots
for
DDoS
attacks
against
specific
targets
after
receiving
a
command
from
the
threat
actor.
Moreover,
the
threat
actor
could
use
various
other
backdoor
features
to
install
additional
malware
or
launch
different
types
of
attacks
from
the
compromised
server.”
concludes
the
report.

Follow
me
on
Twitter:


@securityaffairs

and


Facebook

and


Mastodon



Pierluigi Paganini


(
SecurityAffairs –

hacking,
ShellBot)




About Author

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.