The malware researchers spotted a recent reverberation of the Shellshock, as the Linux botnet Mayhem started spreading through Shellshock exploits. The cybercriminals have discovered certain vulnerabilities in the command-line interpreter of Bash, aiming to infect the servers working under Linux with the malware program Mayhem.
Discovered earlier this year, the sophisticate malware Mayhem was carefully analyzed by researchers from Yandex, a company from Russia. The malware is installed in the computers through a special PHP script which is uploaded by the attackers on servers through altered FTP passwords, brute-forced site administration credentials and different website vulnerabilities.
The main component of Mayhem is the malicious library file Executable and Linkable Format (called ELF). Once the installation is done, the malware downloads additional plug-ins and then stores them in an encrypted and hidden file system. These plug-ins enable the cyber criminals to use the servers that are infected in order to compromise and attack additional sites.
According to the researchers of Yandex, in July the botnet consisted of more than 1400 infected servers with connection to two separate servers for command and control. Earlier this week, the researchers from MMD (Malware Must Die) announced that the authors of Mayhem have added Shellshock exploits to their botnet’s armory.
Shellshock is a collective name for several vulnerabilities which were recently discovered in the command-line interpreter Linux Bash. These vulnerabilities can be exploited to provide remote code execution on servers through several attack vectors like Dynamic Host Configuration Protocol (DHCP), OpenSSH, Common Gateway Interface (CGI), and also OpenVPN in some of the cases.
The attacks done by Shellshock are originating from the Mayhem botnet target Web servers through CGI support. According to the MMD researchers, the web servers probe the bots to determine if they are vulnerable to the flaws in Bash and then exploit the web servers to execute a Pearl script. That script has malicious Mayhem ELF binary files for the 32-bit and 64-bit CPU architectures, which are embedded into it in the form of hexadecimal data and then the LD_PRELOAD function to extract and run these files on the system.
Just like in the previous version of Mayhem, the malware creates a file system that is hidden and it stores there its additional components – plug-ins that are used in various types of scanning and attacks against other servers. The researchers from MDL think that one of those components has been updated and now used in the new Shellshock exploits. However, this is not confirmed yet.
The theory is backed up by the fact that some of the Shellshock attacks that have been observed originate from Internet Protocol addresses that are associated with the available Mayhem bots in addition to new IP addresses that come from different countries such as UK, Austria, Poland, Sweden, Indonesia and Australia. Malware Must Die researchers have shared the information they have gathered with the teams for national computer emergency response (CERTs).
A great deal of the Linux distributions come with patches for the Shellshock vulnerabilities, however many self-managed web servers are not configured in order to deploy updates automatically. In addition, there are various enterprise products and embedded devices based on Linux which include web servers and are Shellshock vulnerable. These products can also be targets if patches for them have not been deployed and are not available yet.