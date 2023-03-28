Linux SSH servers (poorly managed, we specify) are becoming the target of a new hacker attack campaign using different variants of a malware called ShellBot.

ShellBot: what it does and how it behaves

“ShellBot, also known as PerlBotis a DDoS Bot malware developed in Perl and typically uses the IRC protocol to communicate with the C&C server“, has declared the AhnLab Security Emergency Response Center (ASEC) in a report.

ShellBot is installed on servers that have weak credentials (fragile passwords and guessable usernames, to name a few), but only after the authors use malware scanners to identify systems that have SSH port 22 open.

A list of known SSH credentials is used to initiate a dictionary attack to breach the server and distribute the payload, after which it exploits the Internet Relay Chat protocol (IRC extension) to communicate with a remote server.

This includes the ability to receive commands that allow a ShellBot to perform DDoS attacks and exfiltrate the collected information.

ASEC said it has identified three different versions of ShellBot, LiGhT’s Modded perlbot v2, DDoS PBot v2.0 and PowerBots (C) GohacK, the first two of which offer a variety of DDoS attack commands using HTTP, TCP and UDP protocols .

PowerBots, on the other hand, comes with more backdoor-like features to grant reverse shell access and upload arbitrary files from the compromised host.

The findings come nearly three months after ShellBot was employed in targeted attacks against Linux servers they distributed also cryptocurrency miners via a shell script compiler.

“If ShellBot is installed, Linux servers can be used as a DDoS bot for DDoS attacks against specific targets after receiving a command from the attacker“ASEC said. “Also, the attacker might use various other backdoor features to install additional malware or launch different types of attacks from the compromised server“.

Further developments come when Microsoft has too revealed a dramatic increase in the number of DDoS attacks targeting healthcare organizations hosted in Azure, from 10-20 attacks in November 2022 to 40-60 attacks per day in February 2023.

Operating systems based on Linux Kernel: safe but not too much?

The ShellBot case in question highlighted the fact that it’s not like if you install any Linux distribution (Mint, Ubuntu, Debian, ZorinOS, etc.) then you’re automatically safe.

If in the case of the private user it is necessary to have good browsing habits, in the case of servers you have to be much more cautious, because as already said, it’s not that you have servers on Linux and you’re safe because “so they say”.

Unfortunately this “invincible Linux” mentality is so popular among the Linux user, that good surfing habits are often forgotten.

Although Linux is often proposed by these characters as an alternative to Windows, by now the two classes of operating system are closely linked to each other: it is useless to deny it.

Having said that, it should however be noted that there is no impenetrable and “invincible” operating system, in the case of servers one cannot even expect it to be safe because “ah, I use Linux a lot”, you can also use an operating system created by the NSA, but if your habits are bad, it won’t help.