October 25, 2018 at
A new report issued by researchers from a cybersecurity company called SophosLabs claims that a new botnet called Chalubo (ChaCha-Lua-bot) is targeting badly secured SSH servers. While SSH servers are believed to be its main focus, the botnet has also targeted IoT devices.
New botnet ready for use
The botnet made its first appearance in August 2018, but its activities escalated in September. As mentioned, it mostly targets Linux SSH servers. After scanning large IP addresses, it can easily uncover all devices that run SSH on port 22. If the device is badly secured, with only a weak or default password protecting it, brute force attacks can provide access by simply guessing the login credentials.
Upon infecting devices, Chalubo downloads malware that uses them for launching DDoS attacks. These techniques are often observed in malware targeting Windows devices. However, apart from using these techniques, Chalubo also borrows code from Xor.DDoS, and even Mirai.
The botnet is said to contain the main bot, a Lua command script, as well as the Elknot dropper. Since its discovery, researchers have found several versions of it, aiming at various systems. According to their report, this might indicate that the testing period is over and that Chalubo is ready to be used in large-scale attacks.
Chalubo attacks started in August, but it was only the attack on September 6th that has provided researchers with enough insight into the botnet’s capabilities. Not only that, but researchers also noticed one particular command that was used during the attack — libsdes. This is a command that creates an empty file that prevents the malware from executing multiple times.
What can be done about it?
Sophos also admitted that this botnet is much more complex than regular Linux bots, which indicates that Linux malware is rapidly developing. Sophos also analyzed an attack on a single China-based IP address, stating that this principle can be used for launching an attack on any network. Even so, SSH servers remain to be its primary focus, which is a bad news due to their poor security.
The best way to deal with the botnet would be to secure SSH. The botnet’s method of conducting a successful attack relies a lot on weak passwords. Knowing that it is possible to fend off a brut attack by simply making the password strong and impossible to guess.
Apart from that, researchers pointed out several ways of spotting the botnet. These include searching for outgoing C&C traffic on port 8852, checking logs of failed login attempts, as well as tracking the amount of bandwidth used by servers.