shellbot-malware

Analysis

Based on a report from AhnLab Security Emergency response Center (ASEC), "ShellBot, popularly known as PerlBot, is a DDoS Bot malware written in Perl and often uses IRC protocols to establish a connection with the C&C server."

Scanner malware is utilized by threat actors to identify computers that have an open SSH port 22, following which they proceed to install ShellBot on servers with weak passwords.

To infiltrate the server and release the payload, a dictionary attack is employed with a set of recognized SSH credentials, and subsequently, it leverages the Internet Relay Chat (IRC) protocol to establish a connection with a distant server.

This covers ShellBot's ability to receive instructions and execute DDoS assaults while also disclosing data that it has gathered.

 

Prevention

  • Use anti-virus software
  • Keep software up-to-date
  • Be cautious of email attachments and links
  • Use strong passwords
  • Enable firewalls
  • Backup your data
  • Use two-factor authentication
  • Avoid downloading from untrusted sources
  • Use a pop-up blocker
  • Disable macros in Office docs
  • Use a VPN on public Wi-Fi
  • Use strong and unique passwords
  • Educate yourself on malware threats and best practices

 

Detection

  • Create rules based on known indicators of threat group in the SIEM (Security incident event management) tool for detection of threat activity.
  • Check the Task Manager for suspicious processes
  • Check the Startup folder for suspicious files/programs
  • Use a malware scanner
  • Check for unusual network activity
  • Keep your software updated

 

Indicators of Compromise (IOCs)

The IPv4 Port Combinations

  • 164.132.224.207:80
  • 164.90.240.68:6667
  • 176.123.2.3:6667
  • 192.3.141.163:6667
  • 206.189.139.152:6667
  • 49.212.234.206:3303
  • 51.195.42.59:8080

The Domain Port Combinations

  • gsm.ftp.sh:1080

 

MD5

  • 176ebfc431daa903ef83e69934759212
  • 2cf90bf5b61d605c116ce4715551b7a3
  • 3eef28005943fee77f48ac6ba633740d
  • 55e5bfa75d72e9b579e59c00eaeb6922

 

References

SEC-1275-1

The hacker news

sysdig

 

 

Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at susan@positka.com.

Enquiry Now