Shellshock Updates: BASHLITE C&Cs Seen, Shellshock Exploit Attempts in Brazil

We have another update regarding Shellshock vulnerability. In a previous blog entry, we mentioned about a DDoS attack against institutions, which depicted the gravity of the vulnerability’s real world impact.

Based on our analysis, the backdoor that was used in this DDoS attack is somewhat related to the previous Shellshock exploits we have seen so far. It appears that the various payloads (PERL_SHELLBOT.WZ,ELF_BASHLITE.A, ELF_BASHLET.A) in the exploit code of the Shellshock vulnerability connect to several, yet common C&C servers. Analyzing these servers, we managed to uncover yet more details on just how far-reaching this particular vulnerability is.

For those  only joining the fray just now, Shellshock is a vulnerability in the Bash shell, a user interface that allows users to access an operating system’s services through typewritten commands. In the wrong hands, an attacker can use Shellshock to run malicious scripts in online systems and servers – compromising anything and everything in and connected to those elements. And make no mistake, this particular vulnerability has a lot of potential for widespread damage, as it’s seen to affect systems operating on Linux, BSD, and Mac OS X.

Analyzing one of the C&C servers involved, 89[dot]238[dot]150[dot]154[colon]5  – which we’d found to be related to ELF_BASHLITE.SM and ELF_BASHLITE.A — we discovered that it is also used by ELF_BASHWOOP.A, yet another malware we discovered to be involved in the attacks. ELF_BASHWOOP.A is the backdoor being used in botnet attacks against known institutions.  The only difference is the port it connects to – as ELF_BASHWOOP.A connects to port 9003, while ELF_BASHLITE.SM connects to port 5. Based on our findings, this particular C&C server is situated in Great Britain.

Another C&C server we analyzed, 162[dot]253[dot]66[dot]76[colon]53 , is used by both ELF_BASHLITE.A and ELF_BASHLITE.SM. Our findings confirm that this C&C server is located in the United States.

Below is the list of countries that accessed these C&C servers:

Fig 1 & 2. Map and Table of C&C Servers

It’s to note that the commands that these malware can execute pertain to the control and termination of botnets, as well as executing distributed denial of service (DDoS attacks).  We also found that they could flood IRC users with long messages on command, which could result in them being disconnected. Some examples of these commands include UDP and TCP flooding, terminating attack threads and botnets, and so on.

It should be stressed that the Shellshock vulnerability does not only affect servers and computers. We’ve been doing some testing on our own, and we confirm the following to be vulnerable to Shellshock:

• Linux-based devices
• Mac OS X devices
• iPhone

We must issue a caveat here, however. While we confirm the latter two to be vulnerable, it’s only Linux-based devices that can be attacked remotely – Mac OS X devices and the iPhone can only be attacked at a local level, i.e. with the attacker having physical access to the device itself. Apple’s statement about this matter, where it declares that OS X users are safe from Shellshock if they have not configured their devices for advanced UNIX services, still hold true.

Shellshock exploit attempts in Brazil

We have also begun to spot Shellshock exploit attempts in Brazil, which seems to be targeting official institutions.  Trend Micro Deep Discovery, however, is able to detect the intrusion:

Fig 3. Trend Micro Deep Discovery discovering Shellshock attempt in Brazil

It does not seem to have any real payload or doing any real damage, however, only taking what appears to be information about the systems it’s trying to infiltrate – but in the world of cybercrime and cyber attacks, that may change soon enough. We believe that the information-gathering could be a sign of preparation for a bigger, much more damaging attack.

Trend Micro continuously monitors attacks that may leverage the Bash vulnerability, while securing users and organizations from such real world threats. Trend Micro Deep Discovery provides network-wide visibility and intelligence to detect and respond to targeted attacks and advanced threats.

Readers of the Security Intelligence Blog can rest assured that we will continue to cover this threat and provide timely updates as we get them.

For more information regarding Shellshock, you can check out our previous articles on this topic:

• Shellshock Vulnerability Used in Botnet Attacks
• Shellshock – How Bad Can It Get?
• Bash Vulnerability (Shellshock) Exploit Emerges in the Wild, Leads to BASHLITE Malware
• Bash Vulnerability Leads to Shellshock: What it is, How it Affects You

Users can also check out our online article, About the Shellshock Vulnerability: The Basics of the “Bash Bug”, for a quick and easy summary of just what Shellshock actually is, and why it’s such a big deal.