Given the severity of the Bash vulnerability, also known as Shellshock, it is no wonder that we’re seeing a lot of attacks leveraging this. Just hours after this vulnerability was reported, malware payload such as ELF_BASHLITE.A emerged in the threat landscape. Other payload like PERL_SHELLBOT.WZ and ELF_BASHLET.A were also spotted in the wild, which have capabilities to execute commands, thus can compromise a system or a server.
Apart from these malware payloads, DDoS attacks against well-known organizations have been reported. During the course of our investigation, we spotted exploit attempts in Brazil that test if the target server is vulnerable. This means that attackers behind such attempts are probably gathering intelligence. Once they get the information they need, they can possibly launch succeeding attacks, and consequently, infiltrate their target network.
Our researchers are continuously monitoring possible attacks that may employ Shellshock. In the course of our investigation, we spotted an active IRC bot (Internet relay chat) that leveraged the Bash vulnerability. Trend Micro detects this bot as PERL_SHELLBOT.CE. Infected systems will connect to an IRC server, us[dot]bot[dot]nu via port 5190 and join the IRC channel, #bash. It will then wait for commands from a remote attacker. We analyzed the code and found out that it has the capability to launch the following commands:
- Perform DDoS attacks
- IRC Booting/Disconnecting through CTCP, Message, Notice Flooding
- Download Arbitrary File
- Connect to Server (IP:Port)
- Scan opened ports (<ip>)
- Send E-mails (<subject>, <sender>, <recipient> <message>)
- Ping IP (<ip>,<port>)
- Resolve DNS <ip/host>
- Check Bot Configuration
Figure 1. PERL_SHELLBOT.CE infection diagram
So far, we have witnessed this bot launch the command to change channel. This is probably done as a form of evasive technique to prevent being taken down. As of posting, we have seen more than 400 active bots join the IRC channel. We found that most of those who accessed the IRC server are located in the U.S., Japan, Canada, and Australia.
The threats and attack attempts, and now the emergence of a live IRC bot clearly shows the severity of this vulnerability and its real world impact to users and enterprises. We will remain vigilant and be on the lookout for other attacks and threats. Stay tuned as we update this blog for new developments.
For more information on Bash vulnerability, read our previous articles:
- Shellshock Updates: BASHLITE C&Cs Seen, Shellshock Exploit Attempts in Brazil
- Shellshock Vulnerability Used in Botnet Attacks
- Shellshock – How Bad Can It Get?
- Bash Vulnerability (Shellshock) Exploit Emerges in the Wild, Leads to BASHLITE Malware
- Bash Vulnerability Leads to Shellshock: What It Is, How It Affects You
With additional analysis from Alvin Bacani, Karla Agregado, and Mark Manahan.