Making good on expert predictions that Shellshock vulnerabilities will hold some serious ramifications for Internet infrastructure before the year is out, researchers with MalwareMustDie last week reported that knowledge of the Bash bug has already been weaponized through Mayhem, an existing botnet malware kit. The evolution of Mayhem to take advantage of Shellshock proves how quickly criminals can mobilize on Shellshock when they use existing malware infrastructure.
Experts say the threat from Shellshock-enabled Mayhem is bad enough, but perhaps its bigger significance to security teams is its role as a bellwether.
"The key importance is not that Mayhem is the one and only thing to be aware of – the point is that Shellshock has now crossed the last key threshold for a vulnerability, in that it has moved out of theoretical or early stage use into wide, automated, easy exploitation," says Dr. Mike Lloyd, CTO for RedSeal Networks. "Risk is generally defined mathematically as the value of an asset times the probability of a bad thing happening to that asset; the second factor just went way up, and so risk has gone up right along with it.”
As Ron Gula, CEO for Tenable Network Security explains, Mayhem's danger comes from the combination of two exploits. The first is one that leverages a vulnerability that allows attackers to upload files to Linux servers via FTP. The second is one that uploads malicious files malformed to take advantage of Shellshock. In its previous incarnation, those were PHP scripts -- now it's an ELF library file that downloads malicious plug-ins that are hidden and encrypted and give attackers the means to attack other sites using the server.
"The issue is that most organizations don't connect a medium-level vulnerability such as arbitrary FTP file uploads with exploiting Shellshock," Gula says. "Also, many organizations may have done an audit of their systems and found that there were no scripts which could be exploited by Shellshock and moved on to other higher priorities."
As pundits have been saying all along, patching is critical to fighting the threat of Mayhem.
"While most enterprises should have already patched any *nix server that was Internet-facing, this particular turn of events -- which was expected -- should heighten patching efforts in order to protect corporate assets," says Mike Spanbauer of NSS Labs.
However, patching might not always be practical for servers.
"In many cases, a server might be running some unique and proprietary software, developed in house for whatever use the organization needs it for," says Adam Kujawa, head of malware intelligence for Malwarebytes Labs, who explains that the changes to Mayhem make the botnet have worm-like qualities. "Self-propagation is a dangerous feature in the malware world, especially when the method used to spread is new and can still do a lot of damage to the large amounts of unsecured servers out there."
In cases where servers can't be patched, other layers of security through IPS, next-gen firewalls, and Web application firewalls will be important. Organizations might also want to consider increasing the level of command-line monitoring, Gula says.
"Normally, a patch would suffice, but it looks like there have been and will be more Shellshock-related security warnings coming forward. To increase command-line monitoring, process accounting should be enabled on their Linux systems such that all commands can be logged to a security event management tool," Gula says. "Also, if your Linux system supports locking down which commands certain accounts are allowed to run, this is also a great form of protection as well as monitoring. If a hacker or botnet were able to gain control of an account on a Web server, they may try to run an illegal command which is a very good form of detection."
This may be important not just for Mayhem, but all the attacks that are likely to follow. Experts warn that it won't take long now for criminals to weaponize Shellshock exploits en masse, because they'll likely follow the Mayhem model. Rather than create whole new classes of malware kits, they'll instead incrementally progress what they've got already to incorporate Shellshock into existing malware.
"The authors wouldn't throw away perfectly good and perfectly effective malware if they could help it," Kujawa says. "So you are going to see new features pushed into these tools to take advantage of vulnerabilities like Shellshock."
Although there might be new software developed to help attackers to scan for Shellshock vulnerabilities or to aid existing tools in exploiting them, don't expect a new family based on the Bash bug. Rahul Kashyap, chief security architect and head of security research for Bromium, says there are a number of logistical reasons why attackers are going to repurpose their kits.
"It's fairly easy to repackage the existing malware and bypass traditional security defenses, so there's not much real need to build the malware from scratch. A popular malware strain is already QA'ed by many people in the past, so its reliability is already determined," Kashyap says, adding, "in cases like Mayhem which have established botnets, it makes reusing existing malware even more lucrative as now the existing botnet can get bigger and more powerful."
When it comes down to it, it is not only easier to repackage well-known malware to leverage new flaws like Shellshock, it just makes business sense, says Martin Lee, technical lead for threat intelligence within Cisco's Talos Team.
"The attackers' business model is to compromise new machines in any way they can. If a new vulnerability can help them do that, then you can be certain that they exploit this," Lee says.