AhnLab Security Emergency Response Center (ASEC) has uncovered a new variant of the ShellBot malware, which is also known as PerlBot. This Perl-based DDoS bot is being used in a campaign that specifically targets poorly managed Linux SSH servers.
In this article, we will discuss the ShellBot malware and its different strains, as well as the recommendations provided by the researchers to protect Linux servers from brute force attacks and dictionary attacks.
What is ShellBot malware?
The ShellBot malware is a DDoS bot that uses the IRC protocol for C2 communications. It performs SSH bruteforce attacks on servers that have port 22 open.
It uses a dictionary containing a list of known SSH credentials to target poorly managed Linux SSH servers. This means that the malware strains can be installed after threat actors have used account credentials obtained through the use of scanners and SSH BruteForce malware on target systems.
ShellBot’s Account Credentials
The account credentials used by ShellBot operators to compromise target servers include:
| User | Password |
|---|---|
| deploy | password |
| hadoop | hadoop |
| oracle | oracle |
| root | 11111 |
| root | Passw0rd |
| ttx | ttx2011 |
| ubnt | ubnt |
ShellBot Strains
Researchers have categorized the ShellBot into three different groups since threat actors can create their versions:
LiGhT’s Modded perlbot v2
DDoS PBot v2.0
PowerBots (C) GohacK
LiGhT’s Modded perlbot v2 and DDoS PBot v2.0 support multiple DDoS attack commands using HTTP, TCP, and UDP protocols.
The PowerBots (C) GohacK supports backdoor features, including reverse shell and file downloading capabilities.
Recommendations
To protect Linux servers from brute force attacks and dictionary attacks, the researchers recommend using strong passwords for admin accounts and changing them periodically. It is also essential to keep servers up to date and use security programs.
Conclusion
If the ShellBot malware is installed, Linux servers can be used as DDoS bots for DDoS attacks against specific targets after receiving a command from the threat actor.
Additionally, threat actors could use various other backdoor features to install additional malware or launch different types of attacks from the compromised server. Therefore, it is crucial to take the necessary measures to secure your Linux servers from such attacks.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.
