Honeypot Finds Shellshock Attacks

Wednesday, October 1, 2014 @ 08:10 AM gHale


Through the use of honeypots, two pieces of malware were already out there taking advantage of the Bash vulnerability.

Bash is the default command interpreter for Linux.

One of the threats is an IRC bot adapted to leverage the Bash bug dubbed Shellshock, and the attackers behind it are Romanian speakers.

RELATED STORIES
Shellshock: Cisco Lists 31 Vulnerable Products
After Fix, New Bash Flaws Found
‘Shellshock’ Details Unveiled
Patches Ready for Bash Hole

Researchers from Alien Vault captured the two pieces of malware through their honeypots, which added a module specifically for attacks relying on the Shellshock bug.

One of the threats detected by the researchers is an ELF binary (Executable and Linkable Format) that offers malicious actors the possibility to use the infected machine in distributed denial-of-service (DDoS) attacks.

Director of AlienVault Labs, Jaime Blasco, said once the binary executes, it would try to obtain details about the affected system, including the number of CPUs and the network configuration.

All the information would then go to a command and control (C&C) server located in the United Kingdom. Among the commands available in the malware there are JUNK, UDP and TCP flood.
It appears the attackers prepared the threat for brute-force attacks too, as they also included a list of common usernames and passwords.

The other malicious file hitting the AlienVault honeypots is an IRC bot written in PERL that connects to an IRC server and waits for commands from the attackers. This can also see use in creating a denial-of-service condition on a target.

Initially, researchers found 715 users connected to the server, but the number increased with 20 more connections later on.

After victims join the IRC server, “the attackers are executing the command ‘uname -a’ to determine the operating system that is running on the victim as well as ‘id’ to check the current username,” Blasco said in a blog post.

AlienVault concluded the attackers were Romanian speakers because of the messages left in the IRC channel.

These are not the first signs of the Shellshock vulnerability (CVE-2014-6271) suffering from exploitation, as reports from Sucuri and other researchers confirm that attacks taking advantage of it increase at a fast rate.



Leave a Reply

You must be logged in to post a comment.