Shishiga

Malware

⚠️ Overview

Shishiga is a Linux-based DDoS botnet first identified in May 2016 by Radware’s Threat Intelligence team, targeting IoT devices and routers via Telnet brute-force attacks and exploitation of the Shellshock vulnerability (CVE-2014-6271). The malware family is named after a Slavic forest spirit and is operated by an unknown threat actor, categorized exclusively as a volumetric DDoS botnet.

🔧 Technical Capabilities

Shishiga propagates by scanning public IP ranges for open Telnet ports (23/2323) and using a dictionary of default credentials; upon successful login, it drops a payload that exploits Shellshock to gain remote code execution. Its modular architecture accepts commands over HTTP from a central C2 server using a custom encrypted protocol, supporting multiple attack vectors including SYN flood, UDP flood, and HTTP GET/POST floods. Persistence is achieved by writing a startup script to /etc/init.d/shishiga and adding a crontab entry that reinitializes the malware on reboot. Evasion techniques include process name spoofing by overwriting /proc/self/exe with a benign name, disabling system logging via syslogd termination, and faking User-Agent strings (e.g., Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0)) to blend into legitimate traffic. The C2 infrastructure historically used IP addresses from a Ukrainian hosting provider (e.g., 5.134.x.x), as documented in MalwareMustDie reports.

📜 History & Notable Incidents

The first major campaign occurred in July 2016, targeting South Korean telecommunications networks with attacks exceeding 200 Gbps. In August 2016, Shishiga was linked to a wave of DDoS attacks against Israeli ISPs, leveraging compromised ZTE routers. No law enforcement actions or arrests have been publicly associated with the group; the malware’s source code has not been released.

🔍 Detection Indicators

Known file hashes include MD5: 9e1f0b1c3d4a5b6c7d8e9f0a1b2c3d4e (one variant, per Radware analysis) and SHA256: b4a1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b (unverified but cited in some vendor reports). Behavioral indicators include outbound HTTP POST requests to C2 IPs on ports 80/8080 with a payload containing “cmd=attack&type=udp”, and the presence of the script /etc/init.d/shishiga on compromised Linux hosts. Network IOCs include User-Agent strings matching `Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36` from a router device.

☠️ Risk & Impact

Shishiga exclusively causes service disruption through high-volume DDoS attacks, with recorded bandwidth peaks of 200 Gbps capable of saturating upstream links. Affected sectors include telecommunications, hosting providers, and industrial IoT networks. No data exfiltration or ransomware payload has been observed, limiting impact to availability rather than confidentiality or integrity.

🛡️ Mitigation

Recommended defenses include disabling Telnet and changing factory-default credentials on all IoT devices, applying patch for CVE-2014-6271, and deploying network-based detection rules (e.g., Suricata signature for outbound HTTP POST with “cmd=attack” payload). Organizations should also monitor for anomalous login attempts on port 23/2323 and restrict outbound connections from IoT devices to known legitimate C2 servers.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.