Cheap Linux — Expensive Trouble: New Botnet Takes Over Servers via SSH
Honeypot traps reveal a new method of turning servers into digital slaves.
Honeypot traps reveal a new method of turning servers into digital slaves.
Hackers are actively targeting vulnerable Linux servers with open SSH access to install malicious software known as SVF Botnet — a simple yet effective tool for launching DDoS attacks and mining cryptocurrency. This was reported by the AhnLab Security Intelligence Center (ASEC), which monitors such threats using specially configured honeypot servers.
One recent case involved an attack on one of these honeypot servers. The attackers used brute-force techniques to guess weak login credentials and, once they gained SSH access, immediately uploaded the botnet program. At its core, the malware is a Python script linked to an informal group calling itself the SVF Team.
A notable feature of this botnet is its use of Discord — a messaging platform popular among gamers and teens — as its command-and-control channel. Through Discord, the bot receives commands and sends back information about the infected system.
The installation process of SVF Botnet revolves around deploying a virtual environment, where it installs key dependencies: discord.py, requests, aiohttp, and lxml. Then, it downloads the main script (main.py) from termbin, and launches it with parameters like -s 5 to group infected machines under one control set.
Once launched, the bot authenticates using a Discord token and connects to a command channel, where it receives instructions. It also sends system info, including its group assignment, via webhook. This design allows botnet operators to build a flexible command structure, dividing resources into functional segments.
SVF focuses on two types of attacks: HTTP flood (Layer 7) and UDP flood (Layer 4). It supports extensive customization, including the number of threads, packet intensity, and concurrency levels. One of its standout features is an integrated proxy system: the bot automatically fetches open proxy lists from GitHub and other sources, tests their validity by trying to log into Google, and uses random proxies during attacks. This makes traffic origin tracing harder and helps bypass security defenses.
Several commands in the bot’s arsenal ($load, $customhttp, $customudp) allow for extended functionality, including loading new proxies, launching customized attacks, and stopping ongoing actions. It also includes features for restarting the bot, handling failures, and updating from a specific IP address — suggesting ongoing development and architectural complexity.
This incident highlights the continued vulnerability of Linux servers with poorly secured SSH access. Once compromised, a server becomes part of a botnet, used for attacks or crypto mining. To prevent such outcomes, system administrators are advised to harden authentication, use long and unique passwords, change them regularly, apply the latest security patches, and restrict SSH access via firewall rules.
Additionally, keeping antivirus solutions up to date is crucial for detecting new threats in time. As attackers increasingly rely on open-source tools and legitimate services for obfuscation, deploying honeypot infrastructure and activity monitoring remain essential strategies for gathering threat intelligence and improving cyber resilience.
