Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/13/2014
06:00 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Shellshock Mayhem Marks The Start Of Malware Mess

Existing Mayhem botnet malware kit now includes Shellshock exploit -- and experts say that'll be the model for more enterprising criminals.

Making good on expert predictions that Shellshock vulnerabilities will hold some serious ramifications for Internet infrastructure before the year is out, researchers with MalwareMustDie last week reported that knowledge of the Bash bug has already been weaponized through Mayhem, an existing botnet malware kit. The evolution of Mayhem to take advantage of Shellshock proves how quickly criminals can mobilize on Shellshock when they use existing malware infrastructure.

Experts say the threat from Shellshock-enabled Mayhem is bad enough, but perhaps its bigger significance to security teams is its role as a bellwether.

"The key importance is not that Mayhem is the one and only thing to be aware of – the point is that Shellshock has now crossed the last key threshold for a vulnerability, in that it has moved out of theoretical or early stage use into wide, automated, easy exploitation," says Dr. Mike Lloyd, CTO for RedSeal Networks. "Risk is generally defined mathematically as the value of an asset times the probability of a bad thing happening to that asset; the second factor just went way up, and so risk has gone up right along with it.”

As Ron Gula, CEO for Tenable Network Security explains, Mayhem's danger comes from the combination of two exploits. The first is one that leverages a vulnerability that allows attackers to upload files to Linux servers via FTP. The second is one that uploads malicious files malformed to take advantage of Shellshock. In its previous incarnation, those were PHP scripts -- now it's an ELF library file that downloads malicious plug-ins that are hidden and encrypted and give attackers the means to attack other sites using the server.

"The issue is that most organizations don't connect a medium-level vulnerability such as arbitrary FTP file uploads with exploiting Shellshock," Gula says. "Also, many organizations may have done an audit of their systems and found that there were no scripts which could be exploited by Shellshock and moved on to other higher priorities."

As pundits have been saying all along, patching is critical to fighting the threat of Mayhem.

"While most enterprises should have already patched any *nix server that was Internet-facing, this particular turn of events -- which was expected -- should heighten patching efforts in order to protect corporate assets," says Mike Spanbauer of NSS Labs.

However, patching might not always be practical for servers.

"In many cases, a server might be running some unique and proprietary software, developed in house for whatever use the organization needs it for," says Adam Kujawa, head of malware intelligence for Malwarebytes Labs, who explains that the changes to Mayhem make the botnet have worm-like qualities. "Self-propagation is a dangerous feature in the malware world, especially when the method used to spread is new and can still do a lot of damage to the large amounts of unsecured servers out there."  

In cases where servers can't be patched, other layers of security through IPS, next-gen firewalls, and Web application firewalls will be important. Organizations might also want to consider increasing the level of command-line monitoring, Gula says.

"Normally, a patch would suffice, but it looks like there have been and will be more Shellshock-related security warnings coming forward. To increase command-line monitoring, process accounting should be enabled on their Linux systems such that all commands can be logged to a security event management tool," Gula says. "Also, if your Linux system supports locking down which commands certain accounts are allowed to run, this is also a great form of protection as well as monitoring. If a hacker or botnet were able to gain control of an account on a Web server, they may try to run an illegal command which is a very good form of detection." 

This may be important not just for Mayhem, but all the attacks that are likely to follow. Experts warn that it won't take long now for criminals to weaponize Shellshock exploits en masse, because they'll likely follow the Mayhem model. Rather than create whole new classes of malware kits, they'll instead incrementally progress what they've got already to incorporate Shellshock into existing malware.

"The authors wouldn't throw away perfectly good and perfectly effective malware if they could help it," Kujawa says. "So you are going to see new features pushed into these tools to take advantage of vulnerabilities like Shellshock."

Although there might be new software developed to help attackers to scan for Shellshock vulnerabilities or to aid existing tools in exploiting them, don't expect a new family based on the Bash bug. Rahul Kashyap, chief security architect and head of security research for Bromium, says there are a number of logistical reasons why attackers are going to repurpose their kits.

"It's fairly easy to repackage the existing malware and bypass traditional security defenses, so there's not much real need to build the malware from scratch.  A popular malware strain is already QA'ed by many people in the past, so its reliability is already determined," Kashyap says, adding, "in cases like Mayhem which have established botnets, it makes reusing existing malware even more lucrative as now the existing botnet can get bigger and more powerful."

When it comes down to it, it is not only easier to repackage well-known malware to leverage new flaws like Shellshock, it just makes business sense, says Martin Lee, technical lead for threat intelligence within Cisco's Talos Team.

"The attackers' business model is to compromise new machines in any way they can. If a new vulnerability can help them do that, then you can be certain that they exploit this," Lee says.  

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
10/17/2014 | 11:21:05 AM
Re: #First
It is disturbing to see this, but not unexpected.  This is the logical progression of the vulnerability.  The goal here is to breach the perimeter and then attempt to exploit shellshock from the inside.
MalwareMustDie
50%
50%
MalwareMustDie,
User Rank: Apprentice
10/16/2014 | 1:16:05 AM
Please kindly mention our research entity's name
Please mention the entity's name of the "researchers" quoted in the article, we are called "Malware Must Die" at malwaremustdie.org

Thank you
anon8458197798
50%
50%
anon8458197798,
User Rank: Apprentice
10/13/2014 | 9:53:45 PM
#First
This was all only a matter of time. I was glad to see a BASH update hit my personal machine a few days after the anouncement.
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Could you pass the hash, I really have to use the bathroom!
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12253
PUBLISHED: 2019-05-21
my little forum before 2.4.20 allows CSRF to delete posts, as demonstrated by mode=posting&delete_posting.
CVE-2019-12250
PUBLISHED: 2019-05-21
IdentityServer IdentityServer4 through 2.4 has stored XSS via the httpContext to the host/Extensions/RequestLoggerMiddleware.cs LogForErrorContext method, which can be triggered by viewing a log.
CVE-2019-12251
PUBLISHED: 2019-05-21
sadmin/ceditpost.php in UCMS 1.4.7 allows SQL Injection via the index.php?do=sadmin_ceditpost cvalue parameter.
CVE-2019-10319
PUBLISHED: 2019-05-21
A missing permission check in Jenkins PAM Authentication Plugin 1.5 and earlier, except 1.4.1 in PamSecurityRealm.DescriptorImpl#doTest allowed users with Overall/Read permission to obtain limited information about the file /etc/shadow and the user Jenkins is running as.
CVE-2019-10320
PUBLISHED: 2019-05-21
Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate.