Shellshock Continues to Make Waves with Active IRC Bot
Given the severity of the Bash bug vulnerability, also known as Shellshock, it is no wonder that we’re seeing more attacks leveraging this. Just hours after this vulnerability was reported, malware payload such as ELF_BASHLITE.A emerged in the threat landscape. Other payload like PERL_SHELLBOT.WZ and ELF_BASHLET.A were also spotted in the wild, which have capabilities to execute commands, thus compromising the system or server. Apart from these malware payloads, DDoS attacks against known institutions were reported. During the course of our investigation, we spotted exploit attempts in Brazil, which test if the target server is vulnerable. This means that attackers behind such attempts are probably gathering intelligence and once they get the information they need, they can possibly launch succeeding attacks, and consequently, infiltrating their target network.
Our researchers are continuously monitoring possible attacks that may employ Shellshock. In the course of our investigation, we spotted an active IRC bot (Internet relay chat) that leveraged Bash bug vulnerability. Trend Micro detects this bot as PERL_SHELLBOT.CE. Infected systems will connect to an IRC server, us[dot]bot[dot]nu via port 5190 and join the IRC channel, #bash. After which, it will wait for commands from a remote attacker. We analyzed the code and found out that it has the capability to launch the following commands:
- Irc Booting/Disconnecting through CTCP, Message, Notice Flooding
- Download Arbitrary File
- Connect to Server (IP:Port)
- Scan opened ports (<ip>)
- Send E-mails (<subject>, <sender>, <recipient> <message>
- Ping IP (<ip>,<port>
- Resolve DNS <ip/host>
- Check Bot Configuration
Figure 1. PERL_SHELLBOT.CE infection diagram
So far, we have witnessed this bot launched the command to change channel. This is probably done as a form of evasive technique to prevent being taken down. As of posting, we have seen around 400 plus active bots, which join the IRC channel. We found that most of those who accessed the IRC server are located mostly in US, Japan, Canada, and Australia.
The threats and attack attempts, and now the emergence of a live IRC bot clearly shows the severity of such vulnerability and its real world impact to users and enterprises. We will remain vigilant and be on the lookout for other attacks and threats. Stay tune as we update this blog for any new developments.
For more information on Bash bug vulnerability, read our previous articles:
- Shellshock Updates: BASHLITE C&Cs Seen, Shellshock Exploit Attempts in Brazil
- Shellshock Vulnerability Used in Botnet Attacks
- Shellshock – How Bad Can It Get?
- Bash Vulnerability (Shellshock) Exploit Emerges in the Wild, Leads to BASHLITE Malware
- Bash Vulnerability Leads to Shellshock: What it is, How it Affects You
With additional analysis from Alvin Bacani, Karla Agregado, and Mark Manahan.