Bash Bug Vulnerability Used in Botnet Attacks

One of the implications of the Bash Bug vulnerability also referred to as Shellshock is that cybercriminals and attackers can use it to launch DDoS attacks against enterprises and large organizations. True enough, there are reports already mentioning that there are botnet attacks against certain institutions which employed the vulnerability. A botnet is a network of infected computers/systems.

Based on our investigation, the backdoor (which Trend Micro detects as ELF_BASHWOOP.A) launches the following commands:

kill
udp
syn
tcpamp
dildos
http
mineloris

In addition, it connects to the C&C server, 89[DOT]238[DOT]150[DOT]154 to receive commands. Note that this is the same C&C that ELF_BASHLITE.A, which is one of the payloads of the exploit code that it connects to.The related hash for the said threat is 96498e53200cfb3947cbd5357f6833a1d0605360.

Earlier, we spotted several malware payload of the exploit code of bash vulnerability, which Trend Micro detects as:

User systems are protected from this threat via its Smart Protection Network that detects the malware and blocks all-related malicious URLs. For the Bash bug vulnerability, Trend Micro protects via the following solutions:

Deep Discovery rule: 1618 – Shellshock HTTP REQUEST
DPI rule: 1006256 – GNU Bash Remote Code Execution Vulnerability

For more information on the Bash bug vulnerability, you can refer to the following blog entries:

Users can also read our article, About the Shellshock Vulnerability: The Basics of the “Bash Bug” for details on the vulnerability and the risks it posed to users and organizations.

We’ll continuously update this blog entry for new findings.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Bash Bug Vulnerability Used in Botnet Attacks