Malware in the Wild Abusing "Shellshock" Vulnerability
Since the Shellshock vulnerability became public knowledge, our ThreatSeeker® Intelligence Cloud has seen evidence of this vulnerability being exploited in the wild to drop malware.
We shall illustrate one such example below:
Backdoors and Bot Nets
The observed malware found to be exploiting the Shellshock vulnerability has been dropped by various command and control (C&C) servers previously known to Websense Security Labs™. The malware has the following capabilities:
- A Linux backdoor, capable of DDoS attacks, brute force attacks on passwords, and receiving commands to execute from its C&C server.
- A Perl IRC bot, typically capable of DDoS attacks and spreading itself by looking for exploitable servers using various vulnerabilities, such as remote file inclusion exploits.
The malware has been seen to be downloaded to a compromised machine by exploiting the Shellshock vulnerability and invoking commands such as "curl" or "wget," and then executing the malicious payload. To date, we have seen 4 variants of the Linux backdoor and several versions of the Perl-based IRC bot.
Popularity Since Vulnerability Disclosure
The following domains and IPs have been found to be used as command & control (C&C) points for this campaign (amongst others):
208[.]118[.]61[.]44
27[.]19[.]159[.]224
89[.]238[.]150[.]154
212[.]227[.]251[.]139
Figure 1: chart showing increase in prevalence of C&C associated with the above malware, peaking around September 25, 2014.
Infrastructure Re-Use
We have seen C&C traffic to these IPs in the last 2 months, showing that they have been used for malicious and bot network campaigns prior to the Shellshock vulnerability disclosure. In fact, going back as far as 2012, we see that one such C&C was used in a Point-of-Sale malware campaign known as "vSkimmer." More recently, we have observed it serving up an IRC bot.
The spike that we saw on September 25, 2014, ties in with the usage of these servers as command & control points for malware dropped in the exploitation of the Shellshock vulnerability. We have deduced that these are likely compromised servers, since we do see the infrastructure hosting legitimate websites. Cyber-criminals typically prefer compromised servers in order to piggyback on the reputation of those known hosts and to enhance their ability to remain anonymous.
Websense customers are protected from the malware described above by ACE, our Advanced Classification Engine, at the following stages:
- Stage 5 (Dropper File) - ACE has detection for the malware files associated with this campaign.
- Stage 6 (Backchannel Traffic) - ACE has detection for the command & control communication, preventing the malware from functioning correctly.
Additional Abuse of Shellshock Expected
Since the intial disclosure of CVE-2014-6271, we seen another 5 vulnerabilities identified in Bash. These have been assigned identifiers:
Experience has taught us that as cyber-criminals zoom in on the vulnerable code branch, additional vulnerabilities are likely to surface. We strongly recommend that you monitor such issues and apply mitigation accordingly.
We have updated our ThreatSeeker Intelligence Cloud to seek out likely candidates across the kill chain.
