Bash Vulnerability (Shellshock) Exploit Emerges in the Wild, Leads to BASHLITE Malware
Just several hours after the news on the bash vulnerability (covered under CVE-2014-7169) broke out; it was reportedly being exploited in the wild already. This vulnerability can allow execution of arbitrary code thus compromising the security of systems. Some of the possible scenarios that attackers can do range from changing the contents of web server and website code, to defacing the website, and even stealing user data from databases among others.
We spotted samples which are the payload of the actual exploit code. Detected as ELF_BASHLITE.A (also known as ELF_FLOODER.W), this malware is capable of launching distributed denial-of-service (DDoS) attacks. Some of the related commands it executes are
- HOLD pause or delay attack for specified duration
- JUNK Junk Flooding
- UDP DDoS using UDP packet
- TCP DDoS using TCP packet
- KILLATTK – terminate attack thread
- LOLNOGTFO – terminate bot
It also has the capability to do brute force login, enabling attackers to possibly get the list of login usernames and passwords. Based on our analysis, ELF_BASHLITE.A also connects to the C&C server, 89[dot]238[dot]150[dot]154[colon]5.
Figure 1. Threat infection diagram (Click image to enlarge)
Below is the screenshot of the code depicting the arrival of malware on the system:
As discussed in our earlier blog posting, the severity of this vulnerability is serious given that web servers are mostly affected. It (vulnerability) also poses risks to Internet of Everything/Internet of Things devices that have Linux (and Bash) on them. It was also reported that it affects Bitcoin/Bitcoin mining, thus attackers may possibly/potentially create armies of bots via this.
The Trend Micro Smart Protection Network protects users from the BASHLITE variant mentioned above. We will continuously monitor for any other exploits abusing this vulnerability.
Attempts to exploit the Shellshock vulnerability on the network can be detected via the following Deep Discovery rule:
- 1618 – Shellshock HTTP REQUEST
Other Trend Micro products (Trend Micro OSCE, IWSVA and Titanium) detect this as CVE-2014-6271-SHELLSHOCK_REQUEST.
In addition, Trend Micro Deep Security protects users from this bash vulnerability via the following DPI rule:
- 1006256 – GNU Bash Remote Code Execution Vulnerability
Other users who may want to check if they are affected should check our free protection for Shellshock.
The related hash for this attack is 0229e6fa359bce01954651df2cdbddcdf3e24776.
With additional analysis from Rhena Inocencio, Karla Agregado, Kim Sotalbo, Joie Salvio, and Erwina Dungca.