ShellBot Cracks Linux SSH Servers, Debuts New Evasion Tactic

The botnet — built for DDoS, backdooring, and dropping malware — is evading standard URL signature detections with a novel approach involving Hex IP addresses.

Cyberattackers are targeting Linux SSH servers with the ShellBot malware, and they have a new method for hiding their activity: using hexadecimal IP (Hex IP) addresses to evade behavior-based detection.
According to researchers at the AhnLab Security Emergency Response Center (ASEC), the threat actors are translating the familiar dot-decimal command-and-control URL formation (i.e., hxxp://39.99.218[.]78,) into a Hex IP address format (such as hxxp://0x2763da4e/), which most URL-based detection signatures wont parse or flag.
IP addresses can be expressed in formats other than the dot-decimal notation, including decimal and hexadecimal notations, and are generally compatible with widely used Web browsers, according to the
ASEC advisory on the Hex IP attacks
. Due to the
usage of curl
for the download and its ability to support hexadecimal just like Web browsers, ShellBot can be downloaded successfully on a Linux system environment and executed through Perl.
ShellBot, aka PerlBot, is a well-known botnet
that uses dictionary attacks to compromise servers that have weak SSH credentials. From there, the server endpoint is marshalled into action to deliver distributed denial-of-service (DDoS) attacks or drop payloads like cryptominers on infected machines.
If ShellBot is installed, Linux servers can be used ... for DDoS attacks against specific targets after receiving a command from the threat actor, ASEC explained. Moreover, the threat actor could use various other
backdoor features to install additional malware
or launch different types of attacks from the compromised server.
To protect their organizations from ShellBot attacks, administrators should simply up their password hygiene game, using strong passwords and making sure to rotate their hardened credentials on a regular basis.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
ShellBot Cracks Linux SSH Servers, Debuts New Evasion Tactic