Attackers Exploit ShellShock via Botnet

Wednesday, October 29, 2014 @ 04:10 PM gHale


Shellshock, the GNU Bash vulnerability, is now a part of attackers’ repertoire as they are using it as part of a botnet campaign, researchers said.

This isn’t the first time ShellShock suffered exploitation, but these attacks are interesting because attackers are targeting the Simple Mail Transfer Protocol (SMTP) used for email transmission.

RELATED STORIES
Mitigations Listed in Bash Advisory
Siemens Working to Patch Shellshock
Shellshock Affects OpenVPN
VMware Releases Shellshock Updates

The initial ShellShock payload is in the subject, from, to fields, and the body of the email sent out by the attackers, said researchers at Binary Defense Systems (BDS). If the malicious code executes successfully, a Perl-based IRC bot downloads to the victim’s system and the infected SMTP gateway adds into a botnet infrastructure.

“It’s unknown which product would specifically be vulnerable to this since Shellshock relies on system level calls and leveraging bash, however, it seems to be a fairly wide-scale delivery of emails across the United States,” said BDS’s David Kennedy in a blog post.
https://www.binarydefense.com/bds/active-shellshock-smtp-botnet-campaign/

Researchers at the SANS Institute said the attacks appear to aim at the servers of web hosting providers. The malware appears to execute simple distributed denial-of-service (DDoS) commands, but it’s also capable of fetching and executing other threats, said Kevin Liston, a handler at the SANS Institute’s Internet Storm Center (ISC).

Belgian security consultant Xavier Mertens stumbled upon one of the malicious emails in his personal email account.

The email came from an address on mata.com, a domain for personalized email addresses often abused by attackers.

The IP address from which the payload came from is the same as the one seen by the SANS Institute. The IP (178.254.31.165) is a part of a virtual server hosted at a German hosting company. The server is currently down, Mertens said.



Leave a Reply

You must be logged in to post a comment.