Shellbot Botnet

The Shellbot Botnet is a network of backdoor Trojans that remote attackers use for conducting other attacks, such as DDoS activities. Threatening software that's associated with the Shellbot Botnet is compatible with both Windows computers and most Internet-of-Things or IoT devices, which their users should protect by following all relevant network security guidelines. Use an appropriate anti-malware solution for removing the Shellbot Botnet Trojans from infected systems and reset your devices to their factory conditions.

Bandits Taking Over Your Devices

Both personal computers and network-accessible devices, such as 'smart' thermostats and refrigerators, are both at equal risk from a recent botnet campaign. The Shellbot Botnet, being administrated by a group of threat actors that Trend Micro dubs 'Outlaw,' (based on the name of one of the hacking applications that they use), is targeting Windows, Linux and Android environments. After infecting the computer or device and, then, cleaning up the evidence, the infection provides command-based control through an IRC channel.

The Shellbot Botnet isn't an original product; in fact, it's an update of the older Perl Shellbot, and its source code is available for free perusal on GitHub. However, Outlaw is employing the Shellbot Botnet on a professional level, and conducting attacks involving compromising targets opportunistically, such as Japanese FTP servers and Bangladeshi government Web domains. The data that's available to malware researchers suggests that both brute-force attacks against login credentials and the exploitation of unpatched software vulnerabilities are responsible for making the infection possible.

The first stage of the Shellbot Botnet involves a simple, backdoor Trojan that drops the secondary, bot-based component, which has system persistence and opens contact with an IRC server. This second program conceals itself by pretending that it's a system process, and can implement multiple commands. The ones that malware analysts are judging as most relevant include Distributed-Denial-of-Service activity (attacks that flood a server with simulated traffic with the intention of crashing it), downloading and running other files, uploading system information to the criminal or scanning ports for further network vulnerabilities.

Keeping Romanian Hackers in Romania

The Shellbot Botnet campaign makes substantial use of code with Romanian commentary, and the daily schedule that its threat actors adhere to, also, implies a European base of operations. However, their attacks extend outside that region and are taking advantage of vulnerable servers and devices around the world. Users who suspect an infection should disable the network connections of the compromised device or PC immediately and be aware that reenabling online connectivity without removing the Trojan can re-enable contact with the Command & Control server.

Traditional password management guidelines, especially for SSH logins, can block brute-force attacks by various hacking utilities, and updating software for all IoT devices will cut back on any vulnerabilities that Outlaw could exploit. Additional steps that malware analysts encourage include monitoring port 53 for unusual activity and limiting FTP usage when it's avoidable. Dovecot mail users are at particular risk, and appropriate anti-malware solutions may, as usual, delete the Shellbot Botnet's various components at will.

The Shellbot Botnet is far from being a new phenomenon strategically, but the Internet-of-Things is, evidently, more and more at risk from multiple angles of attack. Users with 'smart' products need to remember that a little knowledge is an unsafe thing if the wielder doesn't pair it with due diligence concerning their network security.