Attacks/Breaches

10/13/2014
06:00 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Shellshock Mayhem Marks The Start Of Malware Mess

Existing Mayhem botnet malware kit now includes Shellshock exploit -- and experts say that'll be the model for more enterprising criminals.

Making good on expert predictions that Shellshock vulnerabilities will hold some serious ramifications for Internet infrastructure before the year is out, researchers with MalwareMustDie last week reported that knowledge of the Bash bug has already been weaponized through Mayhem, an existing botnet malware kit. The evolution of Mayhem to take advantage of Shellshock proves how quickly criminals can mobilize on Shellshock when they use existing malware infrastructure.

Experts say the threat from Shellshock-enabled Mayhem is bad enough, but perhaps its bigger significance to security teams is its role as a bellwether.

"The key importance is not that Mayhem is the one and only thing to be aware of – the point is that Shellshock has now crossed the last key threshold for a vulnerability, in that it has moved out of theoretical or early stage use into wide, automated, easy exploitation," says Dr. Mike Lloyd, CTO for RedSeal Networks. "Risk is generally defined mathematically as the value of an asset times the probability of a bad thing happening to that asset; the second factor just went way up, and so risk has gone up right along with it.”

As Ron Gula, CEO for Tenable Network Security explains, Mayhem's danger comes from the combination of two exploits. The first is one that leverages a vulnerability that allows attackers to upload files to Linux servers via FTP. The second is one that uploads malicious files malformed to take advantage of Shellshock. In its previous incarnation, those were PHP scripts -- now it's an ELF library file that downloads malicious plug-ins that are hidden and encrypted and give attackers the means to attack other sites using the server.

"The issue is that most organizations don't connect a medium-level vulnerability such as arbitrary FTP file uploads with exploiting Shellshock," Gula says. "Also, many organizations may have done an audit of their systems and found that there were no scripts which could be exploited by Shellshock and moved on to other higher priorities."

As pundits have been saying all along, patching is critical to fighting the threat of Mayhem.

"While most enterprises should have already patched any *nix server that was Internet-facing, this particular turn of events -- which was expected -- should heighten patching efforts in order to protect corporate assets," says Mike Spanbauer of NSS Labs.

However, patching might not always be practical for servers.

"In many cases, a server might be running some unique and proprietary software, developed in house for whatever use the organization needs it for," says Adam Kujawa, head of malware intelligence for Malwarebytes Labs, who explains that the changes to Mayhem make the botnet have worm-like qualities. "Self-propagation is a dangerous feature in the malware world, especially when the method used to spread is new and can still do a lot of damage to the large amounts of unsecured servers out there."  

In cases where servers can't be patched, other layers of security through IPS, next-gen firewalls, and Web application firewalls will be important. Organizations might also want to consider increasing the level of command-line monitoring, Gula says.

"Normally, a patch would suffice, but it looks like there have been and will be more Shellshock-related security warnings coming forward. To increase command-line monitoring, process accounting should be enabled on their Linux systems such that all commands can be logged to a security event management tool," Gula says. "Also, if your Linux system supports locking down which commands certain accounts are allowed to run, this is also a great form of protection as well as monitoring. If a hacker or botnet were able to gain control of an account on a Web server, they may try to run an illegal command which is a very good form of detection." 

This may be important not just for Mayhem, but all the attacks that are likely to follow. Experts warn that it won't take long now for criminals to weaponize Shellshock exploits en masse, because they'll likely follow the Mayhem model. Rather than create whole new classes of malware kits, they'll instead incrementally progress what they've got already to incorporate Shellshock into existing malware.

"The authors wouldn't throw away perfectly good and perfectly effective malware if they could help it," Kujawa says. "So you are going to see new features pushed into these tools to take advantage of vulnerabilities like Shellshock."

Although there might be new software developed to help attackers to scan for Shellshock vulnerabilities or to aid existing tools in exploiting them, don't expect a new family based on the Bash bug. Rahul Kashyap, chief security architect and head of security research for Bromium, says there are a number of logistical reasons why attackers are going to repurpose their kits.

"It's fairly easy to repackage the existing malware and bypass traditional security defenses, so there's not much real need to build the malware from scratch.  A popular malware strain is already QA'ed by many people in the past, so its reliability is already determined," Kashyap says, adding, "in cases like Mayhem which have established botnets, it makes reusing existing malware even more lucrative as now the existing botnet can get bigger and more powerful."

When it comes down to it, it is not only easier to repackage well-known malware to leverage new flaws like Shellshock, it just makes business sense, says Martin Lee, technical lead for threat intelligence within Cisco's Talos Team.

"The attackers' business model is to compromise new machines in any way they can. If a new vulnerability can help them do that, then you can be certain that they exploit this," Lee says.  

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
10/17/2014 | 11:21:05 AM
Re: #First
It is disturbing to see this, but not unexpected.  This is the logical progression of the vulnerability.  The goal here is to breach the perimeter and then attempt to exploit shellshock from the inside.
MalwareMustDie
50%
50%
MalwareMustDie,
User Rank: Apprentice
10/16/2014 | 1:16:05 AM
Please kindly mention our research entity's name
Please mention the entity's name of the "researchers" quoted in the article, we are called "Malware Must Die" at malwaremustdie.org

Thank you
anon8458197798
50%
50%
anon8458197798,
User Rank: Apprentice
10/13/2014 | 9:53:45 PM
#First
This was all only a matter of time. I was glad to see a BASH update hit my personal machine a few days after the anouncement.
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Cisco Talos Summit: Network Defenders Not Serious Enough About Attacks
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2018
Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
David Shefter, Chief Technology Officer at Ziften Technologies,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8030
PUBLISHED: 2018-06-20
A Denial of Service vulnerability was found in Apache Qpid Broker-J versions 7.0.0-7.0.4 when AMQP protocols 0-8, 0-9 or 0-91 are used to publish messages with size greater than allowed maximum message size limit (100MB by default). The broker crashes due to the defect. AMQP protocols 0-10 and 1.0 a...
CVE-2018-1117
PUBLISHED: 2018-06-20
ovirt-ansible-roles before version 1.0.6 has a vulnerability due to a missing no_log directive, resulting in the 'Add oVirt Provider to ManageIQ/CloudForms' playbook inadvertently disclosing admin passwords in the provisioning log. In an environment where logs are shared with other parties, this cou...
CVE-2018-11701
PUBLISHED: 2018-06-20
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x005cb509, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.
CVE-2018-11702
PUBLISHED: 2018-06-20
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x00578cb3, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.
CVE-2018-11703
PUBLISHED: 2018-06-20
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x00402d6a, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.