Shellshock Continues to Make Waves with Active IRC Bot

Given the severity of the Bash bug vulnerability, also known as Shellshock, it is no wonder that we’re seeing more attacks leveraging this.  Just hours after this vulnerability was reported, malware payload such as ELF_BASHLITE.A emerged in the threat landscape. Other payload like PERL_SHELLBOT.WZ and ELF_BASHLET.A were also spotted in the wild, which have capabilities to execute commands, thus compromising the system or server.  Apart from these malware payloads, DDoS attacks against known institutions were reported.  During the course of our investigation, we spotted exploit attempts in Brazil, which test if the target server is vulnerable.  This means that attackers behind such attempts are probably gathering intelligence and once they get the information they need, they can possibly launch succeeding attacks, and consequently, infiltrating their target network.

Our researchers are continuously monitoring possible attacks that may employ Shellshock.  In the course of our investigation, we spotted an active IRC bot (Internet relay chat) that leveraged Bash bug vulnerability. Trend Micro detects this bot as PERL_SHELLBOT.CE. Infected systems will connect to an IRC server, us[dot]bot[dot]nu via port 5190 and join the IRC channel, #bash.  After which, it will wait for commands from a remote attacker.  We analyzed the code and found out that it has the capability to launch the following commands:

  • DDoS
    1. UDP
    2. TCP
    3. Http
  • Irc Booting/Disconnecting through CTCP, Message, Notice Flooding
  • Download Arbitrary File
  • Connect to Server (IP:Port)
  • Scan opened ports (<ip>)
  • Send E-mails (<subject>, <sender>, <recipient> <message>
  • Ping IP (<ip>,<port>
  • Resolve DNS <ip/host>
  • Check Bot Configuration



Figure 1. PERL_SHELLBOT.CE infection diagram

So far, we have witnessed this bot launched the command to change channel. This is probably done as a form of evasive technique to prevent being taken down. As of posting, we have seen around 400 plus active bots, which join the IRC channel. We found that most of those who accessed the IRC server are located mostly in US, Japan, Canada, and Australia.

The threats and attack attempts, and now the emergence of a live IRC bot clearly shows the severity of such vulnerability and its real world impact to users and enterprises. We will remain vigilant and be on the lookout for other attacks and threats. Stay tune as we update this blog for any new developments.

For more information on Bash bug vulnerability, read our previous articles:

With additional analysis from Alvin Bacani, Karla Agregado, and Mark Manahan. 

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Shellshock Continues to Make Waves with Active IRC Bot

Read more: Shellshock Continues to Make Waves with Active IRC Bot

Story added 27. September 2014, content source with full text you can find at link above.