cShell DDoS Bot Exploits Poorly Managed Linux SSH Servers
AhnLab Security Intelligence Center (ASEC) has uncovered a new strain of DDoS malware called cShell, which specifically targets poorly managed Linux SSH servers. The malware exploits weak credentials to gain access and turn compromised servers into DDoS bots.
The attack begins with a brute force assault on publicly exposed SSH services using weak or default credentials. Once access is gained, the malware installs itself and establishes persistence. “The malware is installed in the “/etc/de/cARM” path and uses the additionally downloaded configuration file “sshell.service” to register the service with the systemctl command, maintaining persistence,” ASEC explained.
cShell stands out by leveraging existing Linux utilities, such as screen and hping3, to execute its attacks. Unlike traditional DDoS malware, it uses these tools to run tasks in the background and generate various types of network traffic for DDoS attacks.
cShell is developed in the Go programming language and includes the following functionalities:
- Persistence Mechanism: Utilizes Linux systemctl for continued operation.
- DDoS Command Support: Executes multiple DDoS attacks, including SYN, ACK, UDP, and PSH floods.
- C2 Communication: Connects to command-and-control (C2) servers for task updates and additional payloads.
- Update Mechanism: Fetches new versions of itself from multiple URLs, including Pastebin.
ASEC’s report describes the following commands used by cShell for DDoS attacks:
| Command | Attack Type | Example Command |
|---|---|---|
| SYN | SYN Flood | hping3 -S -d <Data Size> -p <Destination Port> –flood <Target IP> |
| ACK | ACK Flood | hping3 -A -d <Data Size> -p <Destination Port> –flood <Target IP> |
| UDP | UDP Flood | hping3 -2 -d <Data Size> -p <Destination Port> –flood <Target IP> |
| PSH | Push Flood | hping3 -P -d <Data Size> -p <Destination Port> –flood <Target IP> |
| fxyap | Custom Flood Type #1 | hping3 -FXYAP -d <Data Size> -p <Destination Port> –flood <Target IP> |
| ovh | Custom Flood Type #2 | hping3 -S -p <Destination Port> -s <Source Port> <Target IP> -c 1 && hping3 -A –faster <Target IP> |
These commands demonstrate the malware’s ability to generate high-intensity network traffic aimed at overwhelming targets.
ASEC notes, “cShell runs hping3 in the background under the name ‘concurrent’ using the screen command, supporting different DDoS options for each command.”
C&C and download URLs | Source: ASEC
The malware communicates with its C&C server to receive commands. Upon installation, it sends an initialization packet and waits for further instructions. Commands range from DDoS attacks to software updates. ASEC highlights, “cShell supports 4 additional download URLs besides the hard-coded C&C server addresses, exploiting Pastebin during the update process to download the latest version.”
At its core, cShell transforms compromised Linux servers into DDoS bots capable of executing high-volume attacks. This can disrupt networks and enable attackers to exploit resources for further malicious activity. The report warns, “If cShell is installed, the Linux server can be utilized as a DDoS bot by receiving commands from the threat actor.”
ASEC urges system administrators to adopt the following measures to prevent cShell infections:
- Use Strong Passwords: Employ complex, unique passwords and update them regularly.
- Enable Firewalls: Restrict external access to SSH servers with security programs.
- Patch Systems: Keep Linux servers updated with the latest security patches.
- Monitor Activity: Regularly check for unauthorized processes or unusual network activity.
ASEC advises, “Administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks.”
Related Posts:
- CVE-2023-34990 (CVSS 9.8): Critical Security Flaw Found in Fortinet FortiWLM
- CVE-2024-51479: Next.js Authorization Bypass Vulnerability Affects Millions of Developers
