• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Exploits   »   Shellshock Updates: BASHLITE C&Cs Seen, Shellshock Exploit Attempts in Brazil

Shellshock Updates: BASHLITE C&Cs Seen, Shellshock Exploit Attempts in Brazil

  • Posted on:September 26, 2014 at 8:57 pm
  • Posted in:Exploits, Malware, Vulnerabilities
  • Author:
    Trend Micro
0

We have another update regarding Shellshock vulnerability. In a previous blog entry, we mentioned about a DDoS attack against institutions that depicted the gravity of the vulnerability’s real-world impact.

Based on our analysis, the backdoor that was used in this DDoS attack is somewhat related to the previous Shellshock exploits we have seen. It appears that the various payloads (PERL_SHELLBOT.WZ, ELF_BASHLITE.A, ELF_BASHLET.A) in the exploit code of the Shellshock vulnerability connect to several, yet common C&C servers. Analyzing these servers, we managed to uncover yet more details on just how far-reaching this particular vulnerability is.

For those joining the fray just now, Shellshock is a vulnerability in the Bash shell, a user interface that allows users to access an operating system’s services through typewritten commands. In the wrong hands, an attacker can use Shellshock to run malicious scripts in online systems and servers, compromising anything and everything in and connected to those elements. And make no mistake, this particular vulnerability has a lot of potential for widespread damage, as it’s seen to affect systems operating on Linux, BSD, and Mac OS X.

Analyzing one of the C&C servers involved 89[dot]238[dot]150[dot]154[colon]5  — related to ELF_BASHLITE.SM and ELF_BASHLITE.A. We discovered that it is also used by ELF_BASHWOOP.A, yet another malware that we have discovered to be involved in the attacks. ELF_BASHWOOP.A is the backdoor used in botnet attacks against well-known organizations.  The only difference is the port it connects to: ELF_BASHWOOP.A connects to port 9003, while ELF_BASHLITE.SM connects to port 5. Based on our findings, this particular C&C server is located in Great Britain.

Another C&C server we analyzed, 162[dot]253[dot]66[dot]76[colon]53, is used by both ELF_BASHLITE.A and ELF_BASHLITE.SM. Our findings confirm that this C&C server is located in the United States.

Below is the list of countries that accessed these C&C servers:

Shellshock-Map

CandCservers

Figures 1 & 2. Map and Table of C&C Servers

Note that the commands these malware can execute pertain to the control and termination of botnets, as well as executing distributed denial of service (DDoS attacks).  We also found that they could flood IRC users with long messages on command, which could result in them being disconnected. Some command examples include UDP and TCP flooding, terminating attack threads and botnets, and so on.

It should be stressed that the Shellshock vulnerability does not only affect servers and computers. We’ve been doing some testing on our own, and we confirm that the following are vulnerable to Shellshock:

  • Linux-based devices
  • Mac OS X devices
  • iPhone

We must issue a caveat here, however. While we confirm the latter two to be vulnerable, it’s only Linux-based devices that can be attacked remotely – Mac OS X devices and iPhones can only be attacked at a local level, i.e., the attacker has physical access to the device itself. Apple’s statement about this matter, where it declares that OS X users are safe from Shellshock if they have not configured their devices for advanced UNIX services, still hold true.

Shellshock exploit attempts in Brazil

We have also begun to spot Shellshock exploit attempts in Brazil, which seems to be targeting government institutions.  Trend Micro Deep Discovery is able to detect the intrusion:

threatgeographicmap

Figure 3. Trend Micro Deep Discovery discovers Shellshock attempt in Brazil

It does not seem to have any real payload or do any real damage, but takes what appears to be information about the systems it’s trying to infiltrate. But in the world of cybercrime and cyber attacks, that may change soon enough. We believe that the information-gathering could be a sign of preparation for a bigger, much more damaging attack.

Trend Micro continuously monitors attacks that may leverage the Bash vulnerability, while securing users and organizations from such real world threats. Trend Micro Deep Discovery provides network-wide visibility and intelligence to detect and respond to targeted attacks and advanced threats.

Readers of the Security Intelligence Blog can rest assured that we will continue to cover this threat and provide timely updates as we get them.

For more information regarding Shellshock, you can check out our previous articles:

  • Shellshock Vulnerability Used in Botnet Attacks
  • Shellshock – How Bad Can It Get?
  • Bash Vulnerability (Shellshock) Exploit Emerges in the Wild, Leads to BASHLITE Malware
  • Bash Vulnerability Leads to Shellshock: What it is, How it Affects You

Users can also check out our online article, About the Shellshock Vulnerability: The Basics of the “Bash Bug”, for a quick and easy summary of just what Shellshock actually is, and why it’s such a big deal.

Related posts:

  • Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: bash shellBash vulnerabilityBASHLITEbig bad bashDDoSExploitLinuxshellshock

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Monero Miner-Malware Uses RADMIN, MIMIKATZ to Infect, Propagate via Vulnerability
  • February Patch Tuesday: Batch Includes 77 Updates That Cover Flaws in Internet Explorer, Exchange Server, and DHCP Server
  • Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
  • Windows App Runs on Mac, Downloads Info Stealer and Adware
  • Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners

Popular Posts

  • February Patch Tuesday: Batch Includes 77 Updates That Cover Flaws in Internet Explorer, Exchange Server, and DHCP Server
  • Going In-depth with Emotet: Multilayer Operating Mechanisms
  • Various Google Play ‘Beauty Camera’ Apps Send Users Pornographic Content, Redirect Them to Phishing Websites and Collect Their Pictures
  • Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
  • Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.