Shellshock Vulnerability Used in Botnet Attacks

One of the implications of the Bash Bug vulnerability also referred to as Shellshock is that cybercriminals and attackers can use it to launch DDoS attacks against enterprises and large organizations. True enough, there are reports already mentioning that there are botnet attacks against certain institutions which employed the vulnerability. A botnet is a network of infected computers/systems.

Based on our investigation, the backdoor (which Trend Micro detects as ELF_BASHWOOP.A) launches the following commands:

  • kill
  • udp
  • syn
  • tcpamp
  • dildos
  • http
  • mineloris

In addition, it connects to the C&C server, 89[DOT]238[DOT]150[DOT]154 to receive commands. Note that this is the same C&C that ELF_BASHLITE.A — the malware we initially saw as the payload of the Bash exploit .The related hash for the said threat is 96498e53200cfb3947cbd5357f6833a1d0605360.

Earlier, we spotted several malware payload of the exploit code of bash vulnerability, which Trend Micro detects as:

Users are protected from this threat via its Smart Protection Network that detects the malware and blocks all related malicious URLs. For the Bash bug vulnerability, Trend Micro protects via the following solutions:

  • Deep Discovery rule: 1618 – Shellshock HTTP REQUEST
  • DPI rule: 1006256 – GNU Bash Remote Code Execution Vulnerability

For more information on the Bash bug vulnerability, you can refer to the following blog entries:

Users can also read our article, About the Shellshock Vulnerability: The Basics of the “Bash Bug” for details on the vulnerability and the risks it posed to users and organizations.

We’ll continuously update this blog entry for new findings.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Shellshock Vulnerability Used in Botnet Attacks

Read more: Shellshock Vulnerability Used in Botnet Attacks

Story added 26. September 2014, content source with full text you can find at link above.