Analysis
Based on a report from AhnLab Security Emergency response Center (ASEC), "ShellBot, popularly known as PerlBot, is a DDoS Bot malware written in Perl and often uses IRC protocols to establish a connection with the C&C server."
Scanner malware is utilized by threat actors to identify computers that have an open SSH port 22, following which they proceed to install ShellBot on servers with weak passwords.
To infiltrate the server and release the payload, a dictionary attack is employed with a set of recognized SSH credentials, and subsequently, it leverages the Internet Relay Chat (IRC) protocol to establish a connection with a distant server.
This covers ShellBot's ability to receive instructions and execute DDoS assaults while also disclosing data that it has gathered.
Prevention
- Use anti-virus software
- Keep software up-to-date
- Be cautious of email attachments and links
- Use strong passwords
- Enable firewalls
- Backup your data
- Use two-factor authentication
- Avoid downloading from untrusted sources
- Use a pop-up blocker
- Disable macros in Office docs
- Use a VPN on public Wi-Fi
- Use strong and unique passwords
- Educate yourself on malware threats and best practices
Detection
- Create rules based on known indicators of threat group in the SIEM (Security incident event management) tool for detection of threat activity.
- Check the Task Manager for suspicious processes
- Check the Startup folder for suspicious files/programs
- Use a malware scanner
- Check for unusual network activity
- Keep your software updated
Indicators of Compromise (IOCs)
The IPv4 Port Combinations
- 164.132.224.207:80
- 164.90.240.68:6667
- 176.123.2.3:6667
- 192.3.141.163:6667
- 206.189.139.152:6667
- 49.212.234.206:3303
- 51.195.42.59:8080
The Domain Port Combinations
- gsm.ftp.sh:1080
MD5
- 176ebfc431daa903ef83e69934759212
- 2cf90bf5b61d605c116ce4715551b7a3
- 3eef28005943fee77f48ac6ba633740d
- 55e5bfa75d72e9b579e59c00eaeb6922
References
SEC-1275-1
The hacker news
sysdig