Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Report: Criminals use Shellshock against mail servers to build botnet

Steve Ragan | Oct. 28, 2014
Targeting message transfer agents (MTAs), and mail delivery agents (MDAs), criminals are using Shellshock as a means to create botnets. The process is slow, but working, thanks to unpatched installations of Bash or certain implementations of it.

While conducting research for this story, the person controlling the bots discovered us, and promptly issued a KLine, banning us from the server.

Given that the IRCd (IRC Daemon) exists on the compromised host and is accessed via Telnet (port 23); it's unlikely the firm is aware of the status of their server. CSO has contacted the IT firm, their web host, and OVH to report the matter.

NOTE: By the time this story went to press, none of those contacted had responded to the issue. The IRCd was off limits to us, but responded to pings. The domain serving the malicious payload was still active.

There is evidence of a second server, existing on a network in Germany, which hosted more than 600 bots earlier this month. The connection between this earlier server and the recently discovered server in France is the IRCd, network naming conventions, and the fact that the same people managed both (based on login details).

The following IP addresses have been linked to incidents leveraging Shellshock as an attack vector.

These addresses either hosted a malicious IRC network, or were used to deliver malicious payloads. In the attack examples seen by CSO, the host was called by IP directly over HTTP (port 80) via cURL. If a domain is used to resolve the host's IP, the attackers tend to use free services, such as

In addition to checking the server logs for the aforementioned IP addresses, administrators should also check to see if any unknown scripts are running on the server. The bots in this campaign are all managed by a Perl script, which will contain strings in its code that are easily found in a grep of the /tmp directory:

Legend Bot [2011]

Legend IRC [2010]


"Installing Mocks please wait"


The script that powers the botnet behind this recent campaign is called Legend, and it has existed for several years now. The Legend script is simplistic, but effective once installed on a system. It isn't designed to be clandestine, so it's often discovered during a scan of running processes, TMP directories, or network traffic.

With Legend, a compromised host can be called upon to do a number of things, including open a reverse shell, send spam, initiate a DDoS attack, scan a network with NMAP, or conduct basic Denial of Service via HTTP, TCP, UDP, or SQL. The script can also reveal sensitive information about the host, or turn it into a proxy.

Once installed, Legend will connect the compromised host to a pre-configured IRC server, where the attacker can issue commands individually or as a group. CSO has seen evidence of two Legend scripts circulating online. The source code for the first script, seen in late September and early October, is available here. The second, more recent script can be viewed here.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.