A new Shellshock attack targeting SMTP servers was discovered by Trend Micro. Attackers used email to deliver the exploit. If the exploit code is executed successfully on a vulnerable SMTP server, an IRC bot known as “JST Perl IrcBot” will be downloaded and executed. It will then delete itself after execution, most likely as a way to go under the radar and remain undetected.
The diagram below illustrates the attack cycle.
Figure 1. Diagram of the SMTP attack
- The attacker creates a custom email with Shellshock malicious code inserted in the Subject, From, Toand CC fields.
- The attacker then sends this email to any potential vulnerable SMTP server.
- When a vulnerable SMTP mail server receives this malicious email, the embedded Shellshock payload will be executed and an IRC bot will be downloaded and executed. A connection to IRC server will also be established.
- Attackers can then perform different routines with the mail server, such as launching a spam run.
Possible Vulnerable Mail Servers
We listed down various environments with possible vulnerable mail servers.
- qmail Message Transfer Agent (MTA)
.qmail is a Unix-based configuration file that controls the delivery of email messages and is responsible for launching Bash shell commands for execution. It is possible to configure this to launch a program and once it calls Bash, the attack is successful. (The attack requires that a .qmail file exists for the valid recipient on the qmail MTA and that the .qmail file contains any delivery program.) - exim MTA with versions earlier than Version 4
Starting with Version 4 of exim, the pipe_transport does not call a Shell for variable expansion and command line assemble. - Postfix using procmail: the Postfix MTA invokes procmail, which is a Mail Delivery Agent (MDA). An MDA is used to sort and filter incoming mail.
Postfix has no obvious Shellshock vulnerability. However, procmail (a type of message delivery agent) itself could use an environmental variable to pass message headers to subsequent deliver/filter programs, resulting in the vulnerability in Shellshock attacks.
Note: Debian/Ubuntu Postfix distribution default sets procmail at its mailbox_command configuration inmain.cf. This means the Debian/Ubuntu Postfix distribution are vulnerable to Shellshock attacks.
Analysis of the Attack
According to our analysis, the malicious email crafted by the attacker will connect to the following URLs and download IRC bots if the malicious script embedded in the emails were successfully executed by a vulnerable SMTP server:
- hxxp://{BLOCKED}.{BLOCKED}.31.165/ex.txt
- hxxp://{BLOCKED}.{BLOCKED}.251.41/legend.txt
- hxxp://{BLOCKED}.{BLOCKED}.175.145/ex.sh
All IRC bots discovered so far are written by Perl. The files ex.txt and ex.sh are the same file but with different names.
Figure 2. Source code downloaded by “JST Perl IrcBot”
“JST Perl IrcBot” connects to a command-and-control (C&C) IRC server through Ports 6667, 3232, and 9999. The bot performs the following routines, compromising the security of the affected system:
- Download file(s) from URLs
- Send mail
- Scan ports
- Perform distributed denial-of-service (DDoS) attacks
- Run Unix command
This SMTP server attack has been seen in countries such as Taiwan, Germany, the U.S., and Canada.
Figure 3. Top countries which visited the site hosting the malware
The IRC bot discovered in this STMP attack will connect back to following IRC servers where it waits for commands from the bot master or attacker:
- 62[.]193[.]210[.]216
- d[.]hpb[.]bg
There are at least 44 variants of IRC Perl bots detected by Trend Micro. The related hashes for this attack are:
- SHA1: 23b042299a2902ddf830dfc03920b172a74d3956 (PERL_SHELLBOT.SMA)
- SHA1: 8906df7f549b21e2d71a46b5eccdfb876ada835b (PERL_SHELLBOT.SM)
Conclusion
This SMTP attack highlights yet another platform for attackers to exploit the Shellshock vulnerability to launch IRC bots.
We recommend IT administrators to block all related IPs and domains related to this attack. Although, the victim countries and impact are limited as of posting, we are continuously monitoring this threat for any new development. Trend Micro can detect all discovered IRC bots related to this attack so all our customers are well protected. Trend Micro Deep Security prevents this kind of attack on SMTP servers via the following rule, which was released since September 30:
- 1006259 – GNU Bash Remote Code Execution Vulnerability Over SMTP
For more information on Shellshock vulnerability, you can read our Summary of Shellshock-Related Stories and Materials.
Users can also get free protection from Shellshock via these tools.