ShellBot Cracks Linux SSH Servers, Debuts New Evasion Tactic

The botnet — built for DDoS, backdooring, and dropping malware — is evading standard URL signature detections with a novel approach involving Hex IP addresses.

broken egg in a set of unbroken ones on a black background
Source: RubberBall via Alamy Stock Photo

Cyberattackers are targeting Linux SSH servers with the ShellBot malware, and they have a new method for hiding their activity: using hexadecimal IP (Hex IP) addresses to evade behavior-based detection.

According to researchers at the AhnLab Security Emergency Response Center (ASEC), the threat actors are translating the familiar "dot-decimal" command-and-control URL formation (i.e., hxxp://39.99.218[.]78,) into a Hex IP address format (such as hxxp://0x2763da4e/), which most URL-based detection signatures won't parse or flag.

"IP addresses can be expressed in formats other than the dot-decimal notation, including decimal and hexadecimal notations, and are generally compatible with widely used Web browsers," according to the ASEC advisory on the Hex IP attacks. "Due to the usage of curl for the download and its ability to support hexadecimal just like Web browsers, ShellBot can be downloaded successfully on a Linux system environment and executed through Perl."

ShellBot, aka PerlBot, is a well-known botnet that uses dictionary attacks to compromise servers that have weak SSH credentials. From there, the server endpoint is marshalled into action to deliver distributed denial-of-service (DDoS) attacks or drop payloads like cryptominers on infected machines.

"If ShellBot is installed, Linux servers can be used ... for DDoS attacks against specific targets after receiving a command from the threat actor," ASEC explained. "Moreover, the threat actor could use various other backdoor features to install additional malware or launch different types of attacks from the compromised server."

To protect their organizations from ShellBot attacks, administrators should simply up their password hygiene game, using strong passwords and making sure to rotate their hardened credentials on a regular basis.

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights