September 30, 2014

Malware in the Wild Abusing "Shellshock" Vulnerability

Carl Leonard Principal Security Analyst

Since the Shellshock vulnerability became public knowledge, our ThreatSeeker® Intelligence Cloud has seen evidence of this vulnerability being exploited in the wild to drop malware.

We shall illustrate one such example below:

Backdoors and Bot Nets

The observed malware found to be exploiting the Shellshock vulnerability has been dropped by various command and control (C&C) servers previously known to Websense Security Labs™. The malware has the following capabilities:

  • A Linux backdoor, capable of DDoS attacks, brute force attacks on passwords, and receiving commands to execute from its C&C server.
  • A Perl IRC bot, typically capable of DDoS attacks and spreading itself by looking for exploitable servers using various vulnerabilities, such as remote file inclusion exploits.

The malware has been seen to be downloaded to a compromised machine by exploiting the Shellshock vulnerability and invoking commands such as "curl" or "wget," and then executing the malicious payload. To date, we have seen 4 variants of the Linux backdoor and several versions of the Perl-based IRC bot.

Popularity Since Vulnerability Disclosure

The following domains and IPs have been found to be used as command & control (C&C) points for this campaign (amongst others):


Figure 1: chart showing increase in prevalence of C&C associated with the above malware, peaking around September 25, 2014.

Infrastructure Re-Use

We have seen C&C traffic to these IPs in the last 2 months, showing that they have been used for malicious and bot network campaigns prior to the Shellshock vulnerability disclosure. In fact, going back as far as 2012, we see that one such C&C was used in a Point-of-Sale malware campaign known as "vSkimmer." More recently, we have observed it serving up an IRC bot.

The spike that we saw on September 25, 2014, ties in with the usage of these servers as command & control points for malware dropped in the exploitation of the Shellshock vulnerability. We have deduced that these are likely compromised servers, since we do see the infrastructure hosting legitimate websites. Cyber-criminals typically prefer compromised servers in order to piggyback on the reputation of those known hosts and to enhance their ability to remain anonymous.

Websense customers are protected from the malware described above by ACE, our Advanced Classification Engine, at the following stages:

  • Stage 5 (Dropper File) - ACE has detection for the malware files associated with this campaign.
  • Stage 6 (Backchannel Traffic) - ACE has detection for the command & control communication, preventing the malware from functioning correctly.

Additional Abuse of Shellshock Expected

Since the intial disclosure of CVE-2014-6271, we seen another 5 vulnerabilities identified in Bash. These have been assigned identifiers:






Experience has taught us that as cyber-criminals zoom in on the vulnerable code branch, additional vulnerabilities are likely to surface. We strongly recommend that you monitor such issues and apply mitigation accordingly.

We have updated our ThreatSeeker Intelligence Cloud to seek out likely candidates across the kill chain.

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...

Read more articles by Carl Leonard

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.