The AhnLab Security Intelligence Center (ASEC) has recently discovered a new strain of DDoS malware, called cShell, that is specifically targeting poorly managed Linux SSH servers. This malware exploits weak SSH credentials and leverages Linux tools to execute sophisticated DDoS attacks.
The initial access and infection process involves scanning publicly exposed SSH services and employing brute force techniques to gain access. Once inside, the attackers use commands to install tools like curl and a malware strain called cARM. The malware installs itself in the /etc/de/cARM directory and uses a configuration file named sshell.service to register as a persistent service via the systemctl command. This ensures the malware remains active even after the system reboots.
Unlike traditional DDoS bots, cShell relies on existing Linux utilities screen and hping3 to execute the attacks. Screen is a utility for managing multiple terminal sessions, allowing tasks to run in the background even if the terminal is closed. Hping3 is a packet generation and analysis tool used for network diagnostics. cShell exploits its ability to send TCP, UDP, and ICMP packets for various DDoS attack types.
cShell was created using the Go programming language and includes an update function. It gets instructions via interacting with a command-and-control (C&C) server. The malware also connects to multiple Pastebin URLs during its update process to download the latest version of itself using curl. This redundancy ensures continued operation even if some C&C servers are taken down.
Administrators managing Linux servers are urged to take proactive measures to defend against such threats. These include using strong, unique passwords for SSH accounts and changing them regularly, keeping systems updated with the latest security patches, deploying firewalls and other security tools to restrict unauthorized access, monitoring server activity for unusual behavior or unauthorized installations, and updating antivirus solutions like V3 to block malware infections proactively.
Poorly secured Linux systems remain prime targets for attackers seeking to build botnets for DDoS campaigns. By implementing stringent security measures, administrators can mitigate risks and protect their infrastructure from exploitation.
About FastNetMon
FastNetMon delivers versatile DDoS detection software for companies at any scale. With extensive experience in the telecom, mobile, and cloud computing industries, we take pride in preventing DDoS attacks and protecting our customers’ networks to the highest standard.
Find out more: https://fastnetmon.com/