Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro

    We have another update regarding Shellshock vulnerability. In a previous blog entry, we mentioned about a DDoS attack against institutions that depicted the gravity of the vulnerability’s real-world impact.

    Based on our analysis, the backdoor that was used in this DDoS attack is somewhat related to the previous Shellshock exploits we have seen. It appears that the various payloads (PERL_SHELLBOT.WZ, ELF_BASHLITE.A, ELF_BASHLET.A) in the exploit code of the Shellshock vulnerability connect to several, yet common C&C servers. Analyzing these servers, we managed to uncover yet more details on just how far-reaching this particular vulnerability is.

    For those joining the fray just now, Shellshock is a vulnerability in the Bash shell, a user interface that allows users to access an operating system’s services through typewritten commands. In the wrong hands, an attacker can use Shellshock to run malicious scripts in online systems and servers, compromising anything and everything in and connected to those elements. And make no mistake, this particular vulnerability has a lot of potential for widespread damage, as it’s seen to affect systems operating on Linux, BSD, and Mac OS X.

    Analyzing one of the C&C servers involved 89[dot]238[dot]150[dot]154[colon]5  — related to ELF_BASHLITE.SM and ELF_BASHLITE.A. We discovered that it is also used by ELF_BASHWOOP.A, yet another malware that we have discovered to be involved in the attacks. ELF_BASHWOOP.A is the backdoor used in botnet attacks against well-known organizations.  The only difference is the port it connects to: ELF_BASHWOOP.A connects to port 9003, while ELF_BASHLITE.SM connects to port 5. Based on our findings, this particular C&C server is located in Great Britain.

    Another C&C server we analyzed, 162[dot]253[dot]66[dot]76[colon]53, is used by both ELF_BASHLITE.A and ELF_BASHLITE.SM. Our findings confirm that this C&C server is located in the United States.

    Below is the list of countries that accessed these C&C servers:



    Figures 1 & 2. Map and Table of C&C Servers

    Note that the commands these malware can execute pertain to the control and termination of botnets, as well as executing distributed denial of service (DDoS attacks).  We also found that they could flood IRC users with long messages on command, which could result in them being disconnected. Some command examples include UDP and TCP flooding, terminating attack threads and botnets, and so on.

    It should be stressed that the Shellshock vulnerability does not only affect servers and computers. We’ve been doing some testing on our own, and we confirm that the following are vulnerable to Shellshock:

    • Linux-based devices
    • Mac OS X devices
    • iPhone

    We must issue a caveat here, however. While we confirm the latter two to be vulnerable, it’s only Linux-based devices that can be attacked remotely – Mac OS X devices and iPhones can only be attacked at a local level, i.e., the attacker has physical access to the device itself. Apple’s statement about this matter, where it declares that OS X users are safe from Shellshock if they have not configured their devices for advanced UNIX services, still hold true.

    Shellshock exploit attempts in Brazil

    We have also begun to spot Shellshock exploit attempts in Brazil, which seems to be targeting government institutions.  Trend Micro Deep Discovery is able to detect the intrusion:


    Figure 3. Trend Micro Deep Discovery discovers Shellshock attempt in Brazil

    It does not seem to have any real payload or do any real damage, but takes what appears to be information about the systems it’s trying to infiltrate. But in the world of cybercrime and cyber attacks, that may change soon enough. We believe that the information-gathering could be a sign of preparation for a bigger, much more damaging attack.

    Trend Micro continuously monitors attacks that may leverage the Bash vulnerability, while securing users and organizations from such real world threats. Trend Micro Deep Discovery provides network-wide visibility and intelligence to detect and respond to targeted attacks and advanced threats.

    Readers of the Security Intelligence Blog can rest assured that we will continue to cover this threat and provide timely updates as we get them.

    For more information regarding Shellshock, you can check out our previous articles:

    Users can also check out our online article, About the Shellshock Vulnerability: The Basics of the “Bash Bug”, for a quick and easy summary of just what Shellshock actually is, and why it’s such a big deal.

    Posted in Exploits, Malware, Vulnerabilities | Comments Off

    2:01 pm (UTC-7)   |    by

    One of the implications of the Bash Bug vulnerability also referred to as Shellshock is that cybercriminals and attackers can use it to launch DDoS attacks against enterprises and large organizations. True enough, there are reports already mentioning that there are botnet attacks against certain institutions which employed the vulnerability. A botnet is a network of infected computers/systems.

    Based on our investigation, the backdoor (which Trend Micro detects as ELF_BASHWOOP.A) launches the following commands:

    • kill
    • udp
    • syn
    • tcpamp
    • dildos
    • http
    • mineloris

    In addition, it connects to the C&C server, 89[DOT]238[DOT]150[DOT]154 to receive commands. Note that this is the same C&C that ELF_BASHLITE.A — the malware we initially saw as the payload of the Bash exploit .The related hash for the said threat is 96498e53200cfb3947cbd5357f6833a1d0605360.

    Earlier, we spotted several malware payload of the exploit code of bash vulnerability, which Trend Micro detects as:

    Users are protected from this threat via its Smart Protection Network that detects the malware and blocks all related malicious URLs. For the Bash bug vulnerability, Trend Micro protects via the following solutions:

    • Deep Discovery rule: 1618 – Shellshock HTTP REQUEST
    • DPI rule: 1006256 – GNU Bash Remote Code Execution Vulnerability

    For more information on the Bash bug vulnerability, you can refer to the following blog entries:

    Users can also read our article, About the Shellshock Vulnerability: The Basics of the “Bash Bug” for details on the vulnerability and the risks it posed to users and organizations.

    We’ll continuously update this blog entry for new findings.

    Posted in Exploits, Malware, Vulnerabilities | Comments Off

    1:21 am (UTC-7)   |    by

    In the immediate aftermath of the Bash vulnerability known as Shellshock, we have already seen some attacks using it to deliver DDoS malware onto Linux systems. However, given the severity of this vulnerability, it is almost certain that we will see bigger, severer attacks. What are some of the scenarios we could potentially see?


    Web servers are currently at the highest risk of being exploited. CGI scripting is, at this time, the most reliable and best documented way of exploiting this vulnerability. As our earlier entry noted, we have already seen attacks in the wild that use this method. We particularly expect to see more of these attacks moving forward.

    The damage to organizations if web servers are compromised can be signific    ant. A compromised server can also be the entry point for attackers into the organization’s network. The attacker can choose to run any set of commands on the affected servers. Pairing Shellshock with some other form of privilege escalation vulnerability would completely compromise an affected server.

    However, web servers are not the only application at risk. SSH may also be vulnerable to Shellshock. At this time, any Unix/Linux server OS that uses Bash are at risk. By default, most of these use Bash, with some exceptions. For example, FreeBSD’s default shell is tcsh. The alternatives to Bash are not believed to be vulnerable.


    The direct risk to end users of Shellshock may be less. Windows systems are not at risk from Shellshock, so users of those systems will not be directly affected by these issues.

    Current data suggests that around 10% of PC users use some form of Linux or Max OS X. These OSs may be vulnerable to Shellshock, although, even here, exploitation is more difficult. Endpoints typically do not have running network services (like HTTP servers) that an attacker can easily access, reducing the risk. Mac applications have never relied as heavily on shell scripts as do Unix/Linux applications. However, because it represents a remotely accessible channel to Bash, SSH represents a possible infection vector.

    For end users, the biggest concern may well be exploits via rogue DHCP servers running on potentially affected routers and hotspots. Bash is used by DHCP clients to set system settings; a client connecting to a rogue DHCP server can end up running malicious commands on their system. This can most easily be done via malicious open WiFi networks. We advise users to be extra cautious of which WiFi networks to connect to, but this is already a part of long-standing best practices. (Mac OS X uses a custom DHCP client that is not affected by this vulnerability.)

    For mobile devices, Android devices do not use the Bash shell, and thus not affected by this threat. Neither do iOS devices. However, because jailbroken iOS devices include a copy of Bash, these devices are at risk. Similarly, rooted and modified devices that now run a *nix variant (and, as a result, Bash) may be affected.

    Embedded devices / Internet of Things / Internet of Everything

    Many embedded devices that make up the Internet of Everything are built on embedded versions of Linux, raising the risk that they could be compromised. This would allow the information in these devices to be stolen, as well as for the devices themselves to be used in various malicious activities by becoming part of a botnet.

    However, not all of these devices use Bash. Many of these devices are built using BusyBox, which does not use Bash. These would  not be affected by this vulnerability either.

    Diagnosing and patching IoE devices that are affected by Shellshock will pose exceptionally difficult, however. The standard tests that can be used to check if a system is vulnerable are harder to do on an embedded device. Similarly, the record of many IoE vendors when it comes to security patches is not ideal either. This area could represent a significant problem in the long-term mitigation of Shellshock.

    Summary: IT administrators should worry the most, for now

    For the time being, IT administrators maintaining servers that are exposed to the Internet should be the most concerned about this attack. As we mentioned in earlier blog posts, patches are now available from most vendors that should close this security hole.

    We now provide free tools that allow IT administrators to check not only if their servers are vulnerable to Shellshock, but also if the attacks that are known to have taken advantage of it are already present in their systems. We’ve also released released browser extension and device scanners to protect users’ browsers and devices against the risks posed by Bash bug vulnerability. These tools can scan devices to detect if has been affected by the bug.

    Attempts to exploit the Shellshock vulnerability on a network can be detected via the following Deep Discovery rule:

    • 1618 – Shellshock HTTP REQUEST

    Other Trend Micro products detect this as CVE-2014-6271-SHELLSHOCK_REQUEST.

    In addition, Trend Micro Deep Security protects users from this bash vulnerability via the following DPI rule:

    • 1006256 – GNU Bash Remote Code Execution Vulnerability

    Users can also read our article, About the Shellshock Vulnerability: The Basics of the “Bash Bug” containing information on what they need to know about Shellshock vulnerability and its security risks.

    We’ve also documented our analysis of the botnet reportedly being built using the Shellshock vulnerability.

    Posted in Exploits, Vulnerabilities | Comments Off

    The incidents that cropped up in the months of April to June 2014—from the data breaches, DDoS attacks, to malware improvements and threats to privacy—highlighted the need for enterprises to craft a more strategic response against and in anticipation of security threats.

    There were plenty of threats to be found in the quarter. There was the major vulnerability, Heartbleed, in the widely used cryptographic library OpenSSL. We saw both tech companies and restaurant chains fall victim to data breaches. We saw Windows XP patched one last time by Microsoft post-EOS. We saw major decisions in the judicial systems of the United States and Europe that could affect how data is handled and protected for years to come.

    Other parts of the threat landscape continued to become a bigger problem. Both online banking malware and mobile malware continued to affect many users:

    Figure 1. Online banking malware detection volume

    Figure 2. Cumulative mobile malware threat volume

    Some organizations will deal with these incidents in an exemplary manner. Others will fail. Most will be somewhere in between. Part of this quarter’s roundup discusses how several organizations dealt with various online threats that affected them, and what others can learn from these examples.

    Of course, cybercrime and targeted attacks are not the only perceived “threats” in the world. Increasingly, large Internet companies and government surveillance are perceived as “threats” as well. Here, too, we see how these threats are being addressed: both the EU’s “right to be forgotten” and Riley v. California, a US Supreme Court decision that held that searching the information on a cellphone requires a warrant, can be viewed as responses of the American and European legal systems to the situations in both regions. As digital problems intrude more on the daily lives of users, it is nearly certain that courts will have to weigh in moving forward.

    More details about the threats found in the second quarter—as well as how these threats were dealt with—can be found in TrendLabs report entitled Turning the Tables on Cyber Attacks.


    In the early 2000s, Africa gained notoriety due to the 419 “Nigerian” scam. This scam involved making payments in exchange for a reward for helping so-called high-ranking Nigerian officials and their families. While all the scams may not have necessarily originated from Africa, the use of Nigerian officials was imprinted upon the public consciousness, thereby forever associating this scam with the continent.

    Web Defacement as a Popular Form of Protest

    The 419 scam isn’t the only cybercrime activity in the area. Web defacement is a major cybercrime activity among hackers in North Africa, with several groups from Morocco, Algeria, Tunisia, and Egypt leading the region. These groups aim to deface sites based in the United States, Europe, and pretty much any country with poor security. Their messages are often related to current events or some cause. These North African groups also use defacement as some form of competition. It’s not rare to see one group deface another country’s sites when a political event occurs.

    In 2013, we discussed website defacement, which occurred during April Fools’ Day. A group of Algerian hackers, known as “Algeria to the core,” defaced websites including German and Australian ones. Web defacement is an old hacking technique that consists of breaking into websites with weak security and replacing the content with customized messages.

    Hackers have used defacement as a form of protest or to send a message for a particular cause. Defacement has also been used as an act of cyber warfare among hacker groups from different countries.

    Attacks in a Larger Scale: Botnets, RATs, and Targeted Attack Techniques

    Cybercriminals in the region are moving from web defacement to more lucrative forms of cybercrime that involve the use of botnets, remote access Trojans (RATs), and banking/finance-related malware.

    In November 2013, we found that several Ice IX servers were tied to a group of individuals located in Nigeria. Ice IX is a banking Trojan, used with the better-known ZeuS/ZBOT malware. These malware are used to steal online banking credentials, email addresses, and information related to social media accounts. Earlier this year, an arrest involving the SpyEye banking malware showed that one of the key players was an Algerian cybercriminal who went by the alias bx1. Bx1 was also known for a history of defacing websites.


    Figure 1: Web defacement by Algerian cybercriminal “bx1”

    Apart from banking/finance-related malware, cybercriminals have begun operating botnets using RATs, such as in the case of the Blackshades RAT. Sold as a toolkit, Blackshades can steal passwords, log keystrokes, launch denial-of-service (DoS) attacks, and download and run malware onto affected systems. Several Blackshades infections may then form a botnet for distributed denial-of-service (DDoS) attacks or sell the stolen information and documents.

    We are also seeing a shift toward the use of targeted attack techniques for malware campaigns. One methodology is the use of malicious email attachments and exploits for known vulnerabilities, such as CVE-2012-0158, to deliver malware like ZeuS/ZBOT. They are also using RATs, like the aforementioned Blackshades, in targeted attack-like campaigns.

    Beyond Africa

    Africa isn’t the only region experiencing this type of cybercriminal expansion. We are seeing the same indicators in India, which may possibly mean that more and more people are turning to cybercrime as a lucrative business. The adoption of such methodologies could be traced back to the society these cybercriminals live in, wherein some of them are highly educated but without any employment prospects. With a lot of time on their hands, they can easily pick up the skills for cybercrime and earn money. Moreover, the shortage of laws related to cybercrime—and the lack of enforcement for existing laws—in these countries make it difficult to catch and apprehend these criminals.

    These developments show that cybercriminals will always adopt to new trends and situations whether in the use of new malware or targeted attacks techniques to continue their attacks. However, only time will tell if these cybercriminals will shift yet again—this time, to being major players in targeted attack groups.

    Posted in Bad Sites | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice