Analecta Cyber Company Blog: ShellBOT Attacks Increase Nearly 400% and Begin Authenticating

2015-04-16

ShellBOT Attacks Increase Nearly 400% and Begin Authenticating

In early April, sensors deployed by Analecta have shown a 400% increase in attempted ShellShock Botnet activities. Sources for the scans include:

Scanning IPs

123.108.3.186
195.160.232.92
5.45.109.9
64.34.169.223
82.69.10.48



Despite the wide ranging source IPs of scans, all the attempted Shellshocked exploits attempt to access either hxxp://202.191.121.230/ou.pl or hxxp://ubimed.com/cata.txt. [Note 1]

ShellBOT


#
#  ShellBOT by: devil__
#       Greetz: Puna, Kelserific
#

ShellBOT is a well known IRC based Remote Administration Tool (RAT). This specific version of ShellBOT has been configured to connect to a command and control (C2) IRC server at 209.92.176.45 on port 80. This minor configuration change is intended to make the IRC traffic appear as if it is web traffic.  The configuration including server, port and channel are shown here:
$servidor='209.92.176.45' unless $servidor;
my $porta='80';
my @canais=("#xxx");
my @adms=("Dragos","Anddy","dan");

Changes in Operations

Of particular note, however, are the changes on the controller side. When attempting connection to the C2 IRC server/channel the client software was permanently banned. Past attempts to access the C2 channel had been successful.
[Note 1] The file cata.txt hosted at ubimed.com has been removed from the site.