Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Report: Criminals use Shellshock against mail servers to build botnet

Steve Ragan | Oct. 28, 2014
Targeting message transfer agents (MTAs), and mail delivery agents (MDAs), criminals are using Shellshock as a means to create botnets. The process is slow, but working, thanks to unpatched installations of Bash or certain implementations of it.

It's also worth noting that in separate, but related attacks, a second botnet script has been identified. The script, called "JST Perl IrcBot" in the headers, has many of the same functions as Legend. It was a suggested as a possible payload when someone on Reddit identified the same campaign that CSO was investigating.


The following MTAs / MDAs are directly impacted by Shellshock in some cases, depending on their configuration. The source link will open links to additional sources of information.

Courier Mail Server [Source]

Exim [Source]

QMail [Source] [Source]

Postfix [Source] / Procmail [Source]

There is at least one Shellshock exploit for Postfix circulating online, triggering the same attack as observed in this article The Procmail source link points to an additional possible attack vector.

Sendmail [Source]

Depending on how it is configured, Sendmail is vulnerable. This is especially true for web scripts that call Sendmail. One example of such a script is sendmail-wrapper, which logs and throttles email sent by PHP. It was patched against Shellshock shortly after it was disclosed.

Above all else, the most important mitigation step is patching Bash to ensure that systems are updated with the latest version. All major vendors and Linux distributions have released patches against Shellshock, including Red Hat, IBM, Juniper, Cisco, Debian, Ubuntu, VMware, McAfee, and HP.


Previous Page  1  2  3 

Sign up for CIO Asia eNewsletters.