In information security, 2014 will undoubtedly remain infamous for at least two vulnerabilities that affected the vast majority of the Internet infrastructure and users: Heartbleed and Shellshock. While most system administrators scrambled to apply patches to mitigate these issues as soon as possible, unfortunately, despite the fact that a year has passed by since Heartbleed was revealed and about seven months since Shellshock, there are still a large number of systems that remain vulnerable. Websense® Security Labs™ has discovered, via one of our honeypots, that a simple, yet aggressive worm in the wild exploits the Shellshock vulnerability for reconnaissance purposes. It seems that the attackers are currently only mapping vulnerable servers, and this might be a precursor to a larger more destructive attack effort. Reconnaissance is the first step in the attack kill chain, and if attacks are stopped at this stage, the potential damage is eliminated.
Websense customers are protected from this threat with ACE, our Advanced Classification Engine, at Stage 5 (Dropper Files). ACE has detection for the files associated with this attack.
A failed exploit attempt by the worm
The worm leverages the Shellshock vulnerability to gain access to the system. If the exploit succeeds, it then downloads and executes a shell script, which in turn, downloads and unpacks a tarball (.tar) containing the worm itself. Subsequently, the worm is launched.
This shell script gets executed if the exploit succeeds.
The worm has both 32-bit and 64-bit versions, and the attackers use the Romanian language in several places throughout the binary, indicating that the malware might be of Romanian origin. It was designed to request a list of IPs from its hard-coded Command and Control Server, so that it can attempt to exploit the Shellshock vulnerability on those hosts as well.
The main shell script of the worm dubbed as "config," which is responsible for getting a list of IPs, starting the scanner, and then calling another script to relay the output back to the C&C server.
The underlying goal of the worm seems to be reconnaissance of a large number of IPs that might be vulnerable to Shellshock. Furthermore, once the attackers have access to these systems via Shellshock (assuming that system administrators don't patch their systems in the interim), they might decide, at any time, to launch further attacks. The attackers could use these hosts for any number of malicious activities, including but not limited to DDoS attacks, hosting malicious code on a website, stealing PII and credentials, or using the host as a C&C server for various attacks.
This worm is a very simple piece of malware, possibly developed by amateurs. However, it's worth noting that it still succeeds even seven months after the announcement of the Shellshock vulnerability. Is it aggressively infecting a large number of hosts, since they are still vulnerable to Shellshock? Attackers have time and again used older vulnerabilities to exploit systems, and this is clearly the case in point. If people do not patch their systems and keep them up to date, attackers don't need to use advanced zero-days to compromise them. If you haven't patched already, the time is now. Better late, than never.