%20(1).webp?w=1600&resize=1600,900&ssl=1)
A new strain of Distributed Denial of Service (DDoS) malware, named cShell, has been identified targeting poorly managed Linux SSH servers.
The AhnLab Security Intelligence Center (ASEC) discovered this malware during routine monitoring of attacks on exposed servers.
Developed in the Go programming language, cShell exploits Linux utilities such as screen and hping3 to launch powerful DDoS attacks.
Initial Access via Brute Force Attacks
The Schell campaign begins with attackers scanning publicly exposed Linux SSH servers and employing brute force techniques to gain access.
Once successful, they install the malware by executing commands that download and configure it.
The malware is stored in the /etc/de/cARM directory and uses a service file (sshell.service) to ensure persistence via the systemctl command.
Notably, error messages during installation are written in German, suggesting a possible origin or developer preference.
To maintain control, attackers utilize weak credentials, emphasizing the need for administrators to enforce strong password policies.
Exploitation Tools: Screen and hping3
Unlike traditional DDoS bots, cShell leverages existing Linux tools for its operations:
- Screen: This utility allows tasks to run in virtual terminal sessions, even after the terminal is closed. Schell uses it to execute hping3 commands in the background under session names like “concurrent.”
- hping3: A TCP/IP packet generation tool, hping3 is used for crafting various types of packets (e.g., SYN, ACK, UDP) to overwhelm target networks. Commands such as
hping3 -FXYAP -d <Data Size> -p <Port Number> --flood <Target IP>these are executed to perform high-speed packet flooding.
These tools enable cShell to conduct sophisticated DDoS attacks while remaining lightweight and efficient.
cShell supports six DDoS attack commands (e.g., SYN Flood, ACK Flood) and includes an update feature.
It communicates with a Command-and-Control (C&C) server to receive instructions and execute attacks.
The malware also accesses additional URLs hosted on platforms like Pastebin to download updated versions of itself.
Commands sent from the C&C server specify details such as target IPs, ports, data sizes, and timeout options. This modularity allows attackers to customize their attacks for maximum impact.
Conclusion: Strengthening Defenses
The rise of cShell highlights vulnerabilities in poorly managed Linux SSH servers. To mitigate such threats:
- Use strong passwords and periodically update them.
- Disable root login via SSH and restrict server access by IP.
- Regularly patch server software and install firewalls.
- Monitor for abnormal behavior and implement robust security tools.
By addressing these gaps, administrators can reduce the risk of their servers being exploited as part of a DDoS botnet.
Also Read:
%20(1)%20(1).webp?w=1200&resize=1200,0&ssl=1 "Lokdal.in Database Allegedly Breached: Privacy Concerns Escalate")
.webp?w=1200&resize=1200,0&ssl=1 "Alleged Binance Data Breach Exposes Sensitive Information of 139,000 Users")
.webp?w=1200&resize=1200,0&ssl=1 "Alleged Sale of US Government Maritime Database Access Sparks Security Concerns")
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The%20AhnLab%20Security%20Intelligence%20Center%20(ASEC)%20discovered%20this%20malware%20during%20routine%20monitoring%20of%20attacks%20on%20exposed%20servers.){kind=link}