Attackers Still Seeking Shellshock Victims

Wednesday, April 15, 2015 @ 01:04 PM gHale


A new worm wants to take over hosts still vulnerable to the Shellshock bug for Bash, researchers said.

Shellshock is a vulnerability that allows an attacker to execute arbitrary commands in Bash by appending them after a variable function.

RELATED STORIES
Attackers Exploit ShellShock via Botnet
‘Air Gapped’ Systems Targeted
Safe Air Gaps Not Protected
Brute Force Attacks: Trawling for Passwords

The shell sees use in numerous services open to the Internet, such as web servers, which is what makes the security flaw significant.

While patches did release after the September disclosure, as occurs in most cases, administrators have not applied all Shellshock fixes.

In mid-November, attackers continued scanning for vulnerable machines and found a good share of unprotected machines.

The attacks are continuing as bad guys are starting to scan for vulnerable machines again, said researchers at Volexity, who found a dramatic increase in frequency and breadth in searching for Internet devices susceptible to Shellshock exploits.

The malware observed by the experts comes with script that has a list of 26,356 IP addresses used for scanning purposes with an ELF scanning binary.

“Based on the contents of the file, it appears to be a modified version of a file called mass.c referenced as sslvuln.c that was found on a Romanian website,” Volexity’s Steven Adair said in a blog post.

The suspicion Romanian actors were at least involved in modifying the components of the malware seems to be confirmed by a string in the binary that says “Nu Pot Deschide%,” which in English means “Can’t open it.”

Adair said the most reliable indicator of malicious activity is outbound communication to 109.228.25.87 IP address, which hosts a TAR archive with the necessary scripts for finding and infecting machines.



Leave a Reply

You must be logged in to post a comment.