One of the implications of the Bash Bug vulnerability also referred to as Shellshock is that cybercriminals and attackers can use it to launch DDoS attacks against enterprises and large organizations. True enough, there are reports already mentioning that there are botnet attacks against certain institutions which employed the vulnerability. A botnet is a network of infected computers/systems.
Based on our investigation, the backdoor (which Trend Micro detects as ELF_BASHWOOP.A) launches the following commands:
In addition, it connects to the C&C server, 89[DOT]238[DOT]150[DOT]154 to receive commands. Note that this is the same C&C that ELF_BASHLITE.A — the malware we initially saw as the payload of the Bash exploit .The related hash for the said threat is 96498e53200cfb3947cbd5357f6833a1d0605360.
Earlier, we spotted several malware payload of the exploit code of bash vulnerability, which Trend Micro detects as:
Users are protected from this threat via its Smart Protection Network that detects the malware and blocks all related malicious URLs. For the Bash bug vulnerability, Trend Micro protects via the following solutions:
- Deep Discovery rule: 1618 – Shellshock HTTP REQUEST
- DPI rule: 1006256 – GNU Bash Remote Code Execution Vulnerability
For more information on the Bash bug vulnerability, you can refer to the following blog entries:
- Shellshock – How Bad Can It Get?
- Bash Vulnerability (Shellshock) Exploit Emerges in the Wild, Leads to BASHLITE Malware
- Bash Vulnerability Leads to Shellshock: What it is, How it Affects You
Users can also read our article, About the Shellshock Vulnerability: The Basics of the “Bash Bug” for details on the vulnerability and the risks it posed to users and organizations.
We’ll continuously update this blog entry for new findings.