Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:00 PM
Connect Directly

Shellshock Mayhem Marks The Start Of Malware Mess

Existing Mayhem botnet malware kit now includes Shellshock exploit -- and experts say that'll be the model for more enterprising criminals.

Making good on expert predictions that Shellshock vulnerabilities will hold some serious ramifications for Internet infrastructure before the year is out, researchers with MalwareMustDie last week reported that knowledge of the Bash bug has already been weaponized through Mayhem, an existing botnet malware kit. The evolution of Mayhem to take advantage of Shellshock proves how quickly criminals can mobilize on Shellshock when they use existing malware infrastructure.

Experts say the threat from Shellshock-enabled Mayhem is bad enough, but perhaps its bigger significance to security teams is its role as a bellwether.

"The key importance is not that Mayhem is the one and only thing to be aware of – the point is that Shellshock has now crossed the last key threshold for a vulnerability, in that it has moved out of theoretical or early stage use into wide, automated, easy exploitation," says Dr. Mike Lloyd, CTO for RedSeal Networks. "Risk is generally defined mathematically as the value of an asset times the probability of a bad thing happening to that asset; the second factor just went way up, and so risk has gone up right along with it.”

As Ron Gula, CEO for Tenable Network Security explains, Mayhem's danger comes from the combination of two exploits. The first is one that leverages a vulnerability that allows attackers to upload files to Linux servers via FTP. The second is one that uploads malicious files malformed to take advantage of Shellshock. In its previous incarnation, those were PHP scripts -- now it's an ELF library file that downloads malicious plug-ins that are hidden and encrypted and give attackers the means to attack other sites using the server.

"The issue is that most organizations don't connect a medium-level vulnerability such as arbitrary FTP file uploads with exploiting Shellshock," Gula says. "Also, many organizations may have done an audit of their systems and found that there were no scripts which could be exploited by Shellshock and moved on to other higher priorities."

As pundits have been saying all along, patching is critical to fighting the threat of Mayhem.

"While most enterprises should have already patched any *nix server that was Internet-facing, this particular turn of events -- which was expected -- should heighten patching efforts in order to protect corporate assets," says Mike Spanbauer of NSS Labs.

However, patching might not always be practical for servers.

"In many cases, a server might be running some unique and proprietary software, developed in house for whatever use the organization needs it for," says Adam Kujawa, head of malware intelligence for Malwarebytes Labs, who explains that the changes to Mayhem make the botnet have worm-like qualities. "Self-propagation is a dangerous feature in the malware world, especially when the method used to spread is new and can still do a lot of damage to the large amounts of unsecured servers out there."  

In cases where servers can't be patched, other layers of security through IPS, next-gen firewalls, and Web application firewalls will be important. Organizations might also want to consider increasing the level of command-line monitoring, Gula says.

"Normally, a patch would suffice, but it looks like there have been and will be more Shellshock-related security warnings coming forward. To increase command-line monitoring, process accounting should be enabled on their Linux systems such that all commands can be logged to a security event management tool," Gula says. "Also, if your Linux system supports locking down which commands certain accounts are allowed to run, this is also a great form of protection as well as monitoring. If a hacker or botnet were able to gain control of an account on a Web server, they may try to run an illegal command which is a very good form of detection." 

This may be important not just for Mayhem, but all the attacks that are likely to follow. Experts warn that it won't take long now for criminals to weaponize Shellshock exploits en masse, because they'll likely follow the Mayhem model. Rather than create whole new classes of malware kits, they'll instead incrementally progress what they've got already to incorporate Shellshock into existing malware.

"The authors wouldn't throw away perfectly good and perfectly effective malware if they could help it," Kujawa says. "So you are going to see new features pushed into these tools to take advantage of vulnerabilities like Shellshock."

Although there might be new software developed to help attackers to scan for Shellshock vulnerabilities or to aid existing tools in exploiting them, don't expect a new family based on the Bash bug. Rahul Kashyap, chief security architect and head of security research for Bromium, says there are a number of logistical reasons why attackers are going to repurpose their kits.

"It's fairly easy to repackage the existing malware and bypass traditional security defenses, so there's not much real need to build the malware from scratch.  A popular malware strain is already QA'ed by many people in the past, so its reliability is already determined," Kashyap says, adding, "in cases like Mayhem which have established botnets, it makes reusing existing malware even more lucrative as now the existing botnet can get bigger and more powerful."

When it comes down to it, it is not only easier to repackage well-known malware to leverage new flaws like Shellshock, it just makes business sense, says Martin Lee, technical lead for threat intelligence within Cisco's Talos Team.

"The attackers' business model is to compromise new machines in any way they can. If a new vulnerability can help them do that, then you can be certain that they exploit this," Lee says.  

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
Robert McDougal,
User Rank: Ninja
10/17/2014 | 11:21:05 AM
Re: #First
It is disturbing to see this, but not unexpected.  This is the logical progression of the vulnerability.  The goal here is to breach the perimeter and then attempt to exploit shellshock from the inside.
User Rank: Apprentice
10/16/2014 | 1:16:05 AM
Please kindly mention our research entity's name
Please mention the entity's name of the "researchers" quoted in the article, we are called "Malware Must Die" at malwaremustdie.org

Thank you
User Rank: Apprentice
10/13/2014 | 9:53:45 PM
This was all only a matter of time. I was glad to see a BASH update hit my personal machine a few days after the anouncement.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-27
A SQL injection vulnerability exists in Victor CMS V1.0 in the cat_id parameter of the category.php file. This parameter can be used by sqlmap to obtain data information in the database.
PUBLISHED: 2020-10-27
This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
PUBLISHED: 2020-10-27
Check Point ZoneAlarm before version allows a local actor to escalate privileges while restoring files in Anti-Ransomware.
PUBLISHED: 2020-10-27
Clustered Data ONTAP versions 9.7 through 9.7P7 are susceptible to a vulnerability which allows an attacker with access to an intercluster LIF to cause a Denial of Service (DoS).
PUBLISHED: 2020-10-27
Check Point ZoneAlarm before version allows a local actor to delete arbitrary files while restoring files in Anti-Ransomware.