Since the beginning of the year, there has been an uptick in attacks that target poorly managed Linux SSH servers. These servers are being targeted as part of a new campaign that deploys different variants of a malware called ShellBot. ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl. It uses the IRC protocol to communicate with the C&C server. ShellBot is installed on servers that have weak credentials, but only after threat actors make use of scanner malware to identify systems that have SSH port 22 open. A list of known SSH credentials is used to initiate a dictionary attack to breach the server and deploy the payload. After the payload has been deployed, ShellBot uses the Internet Relay Chat (IRC) protocol to communicate with a remote server. This communication allows ShellBot to carry out DDoS attacks and exfiltrate harvested information. ASEC has identified three different ShellBot versions – LiGhT's Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK. The first two versions offer a variety of DDoS attack commands using HTTP, TCP, and UDP protocols. PowerBots comes with more backdoor-like capabilities that grant reverse shell access and allow for the upload of arbitrary files from the compromised host. If you are a Linux user, it is important to make sure that your SSH server is properly managed and secured. Attackers are constantly developing new ways to exploit weak points in our systems. By being vigilant and keeping up with best practices, we can make it more difficult for attackers to succeed.
top of page
bottom of page