O botnet Chalubo é um malware descoberto recentemente que tem sido encontrado para conter recursos avançados de outras ameaças ea ser usada para DoS (negação de serviço) campanhas de ataque. No momento em que vários ataques foram avistados. Our article gives an overview of how the malware -functions.
The Chalubo Botnet Is a Formidable DoS Weapon
A new dangerous malware called the Chalubo botnet has been discovered by a team of security researchers. Several iterations of it have been found to cause infections. The first versions that are linked to it were observed back in August where three malicious components were used in an attack against x86 machines. This is attributed to be an early test attack which is probably a way for the operators to fine tune and tweak the botnet.
o Elknot dropper was later used to deliver a more complete version of the malware. The captured samples indicate that there are several variants of it available — there are specialist versions for each architecture. This makes it very effective against both servers and IoT devices.
In September a shift in the infection tactics was observed. Instead of the dropper the malicious component depended on ataques de força bruta against remote desktop services. The hackers loaded the infection script with the default credentials and often used username and password combinations. Updated versions of the Chalubo botnet featured advanced anti-analysis code that protected them from being discovered by both administrators and security software. This is done by launching a hardcoded script that executes the following operations:
- Firewall Bypass
- Installation of the “wget” download utility if it is not present.
- Downloading of a second-stage script
- Modificação do sistema
- Log Files Removal
What follows is the actual bot deployment. When started it will connect to a specific hacker-controlled server and report of the successful infection. The observed hacker instructions was to download other modules depending on the individual machine configuration. So far it seems that the Chalubo botnet is used to perform all basic DoS attacks — DNS, UDP and SYN floods against a given target. We anticipate that the attacks and further upgrades to its code base will continue. As the botnet is based on scripts and publicly available source code there is the possibility that it will be sold or traded on the underground hacker marketplaces. As such offspring versions can include more dangerous modules.