Summary: AhnLab Security Intelligence Center has identified a new DDoS malware strain named cShell, which targets poorly secured Linux SSH servers by exploiting weak credentials. Once compromised, these servers are turned into DDoS bots capable of executing various attack types.
Threat Actor: Unknown | unknown
Victim: Linux SSH Servers | Linux SSH Servers
Key Point :
- cShell employs brute force attacks on SSH services using weak or default credentials.
- The malware installs itself in the “/etc/de/cARM” directory and maintains persistence via the systemctl command.
- It utilizes existing Linux utilities like screen and hping3 to execute DDoS attacks in the background.
- cShell supports multiple DDoS attack types, including SYN, ACK, UDP, and custom floods.
- The malware communicates with command-and-control servers for updates and task instructions.
- To mitigate risks, system administrators are advised to use strong passwords, enable firewalls, and regularly update their systems.
AhnLab Security Intelligence Center (ASEC) has uncovered a new strain of DDoS malware called cShell, which specifically targets poorly managed Linux SSH servers. The malware exploits weak credentials to gain access and turn compromised servers into DDoS bots.
The attack begins with a brute force assault on publicly exposed SSH services using weak or default credentials. Once access is gained, the malware installs itself and establishes persistence. “The malware is installed in the “/etc/de/cARM” path and uses the additionally downloaded configuration file “sshell.service” to register the service with the systemctl command, maintaining persistence,” ASEC explained.
cShell stands out by leveraging existing Linux utilities, such as screen and hping3, to execute its attacks. Unlike traditional DDoS malware, it uses these tools to run tasks in the background and generate various types of network traffic for DDoS attacks.
cShell is developed in the Go programming language and includes the following functionalities:
- Persistence Mechanism: Utilizes Linux systemctl for continued operation.
- DDoS Command Support: Executes multiple DDoS attacks, including SYN, ACK, UDP, and PSH floods.
- C2 Communication: Connects to command-and-control (C2) servers for task updates and additional payloads.
- Update Mechanism: Fetches new versions of itself from multiple URLs, including Pastebin.
ASEC’s report describes the following commands used by cShell for DDoS attacks:
| Command | Attack Type | Example Command |
|---|---|---|
| SYN | SYN Flood | hping3 -S -d <Data Size> -p <Destination Port> –flood <Target IP>
|
| ACK | ACK Flood | hping3 -A -d <Data Size> -p <Destination Port> –flood <Target IP>
|
| UDP | UDP Flood | hping3 -2 -d <Data Size> -p <Destination Port> –flood <Target IP>
|
| PSH | Push Flood | hping3 -P -d <Data Size> -p <Destination Port> –flood <Target IP>
|
| fxyap | Custom Flood Type #1 | hping3 -FXYAP -d <Data Size> -p <Destination Port> –flood <Target IP>
|
| ovh | Custom Flood Type #2 | hping3 -S -p <Destination Port> -s <Source Port> <Target IP> -c 1 && hping3 -A –faster <Target IP> |
These commands demonstrate the malware’s ability to generate high-intensity network traffic aimed at overwhelming targets.
ASEC notes, “cShell runs hping3 in the background under the name ‘concurrent’ using the screen command, supporting different DDoS options for each command.”
The malware communicates with its C&C server to receive commands. Upon installation, it sends an initialization packet and waits for further instructions. Commands range from DDoS attacks to software updates. ASEC highlights, “cShell supports 4 additional download URLs besides the hard-coded C&C server addresses, exploiting Pastebin during the update process to download the latest version.”
At its core, cShell transforms compromised Linux servers into DDoS bots capable of executing high-volume attacks. This can disrupt networks and enable attackers to exploit resources for further malicious activity. The report warns, “If cShell is installed, the Linux server can be utilized as a DDoS bot by receiving commands from the threat actor.”
ASEC urges system administrators to adopt the following measures to prevent cShell infections:
- Use Strong Passwords: Employ complex, unique passwords and update them regularly.
- Enable Firewalls: Restrict external access to SSH servers with security programs.
- Patch Systems: Keep Linux servers updated with the latest security patches.
- Monitor Activity: Regularly check for unauthorized processes or unusual network activity.
ASEC advises, “Administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks.”
Related Posts:
Source: https://securityonline.info/cshell-ddos-bot-exploits-poorly-managed-linux-ssh-servers