Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:00 PM
Connect Directly

Shellshock Mayhem Marks The Start Of Malware Mess

Existing Mayhem botnet malware kit now includes Shellshock exploit -- and experts say that'll be the model for more enterprising criminals.

Making good on expert predictions that Shellshock vulnerabilities will hold some serious ramifications for Internet infrastructure before the year is out, researchers with MalwareMustDie last week reported that knowledge of the Bash bug has already been weaponized through Mayhem, an existing botnet malware kit. The evolution of Mayhem to take advantage of Shellshock proves how quickly criminals can mobilize on Shellshock when they use existing malware infrastructure.

Experts say the threat from Shellshock-enabled Mayhem is bad enough, but perhaps its bigger significance to security teams is its role as a bellwether.

"The key importance is not that Mayhem is the one and only thing to be aware of – the point is that Shellshock has now crossed the last key threshold for a vulnerability, in that it has moved out of theoretical or early stage use into wide, automated, easy exploitation," says Dr. Mike Lloyd, CTO for RedSeal Networks. "Risk is generally defined mathematically as the value of an asset times the probability of a bad thing happening to that asset; the second factor just went way up, and so risk has gone up right along with it.”

As Ron Gula, CEO for Tenable Network Security explains, Mayhem's danger comes from the combination of two exploits. The first is one that leverages a vulnerability that allows attackers to upload files to Linux servers via FTP. The second is one that uploads malicious files malformed to take advantage of Shellshock. In its previous incarnation, those were PHP scripts -- now it's an ELF library file that downloads malicious plug-ins that are hidden and encrypted and give attackers the means to attack other sites using the server.

"The issue is that most organizations don't connect a medium-level vulnerability such as arbitrary FTP file uploads with exploiting Shellshock," Gula says. "Also, many organizations may have done an audit of their systems and found that there were no scripts which could be exploited by Shellshock and moved on to other higher priorities."

As pundits have been saying all along, patching is critical to fighting the threat of Mayhem.

"While most enterprises should have already patched any *nix server that was Internet-facing, this particular turn of events -- which was expected -- should heighten patching efforts in order to protect corporate assets," says Mike Spanbauer of NSS Labs.

However, patching might not always be practical for servers.

"In many cases, a server might be running some unique and proprietary software, developed in house for whatever use the organization needs it for," says Adam Kujawa, head of malware intelligence for Malwarebytes Labs, who explains that the changes to Mayhem make the botnet have worm-like qualities. "Self-propagation is a dangerous feature in the malware world, especially when the method used to spread is new and can still do a lot of damage to the large amounts of unsecured servers out there."  

In cases where servers can't be patched, other layers of security through IPS, next-gen firewalls, and Web application firewalls will be important. Organizations might also want to consider increasing the level of command-line monitoring, Gula says.

"Normally, a patch would suffice, but it looks like there have been and will be more Shellshock-related security warnings coming forward. To increase command-line monitoring, process accounting should be enabled on their Linux systems such that all commands can be logged to a security event management tool," Gula says. "Also, if your Linux system supports locking down which commands certain accounts are allowed to run, this is also a great form of protection as well as monitoring. If a hacker or botnet were able to gain control of an account on a Web server, they may try to run an illegal command which is a very good form of detection." 

This may be important not just for Mayhem, but all the attacks that are likely to follow. Experts warn that it won't take long now for criminals to weaponize Shellshock exploits en masse, because they'll likely follow the Mayhem model. Rather than create whole new classes of malware kits, they'll instead incrementally progress what they've got already to incorporate Shellshock into existing malware.

"The authors wouldn't throw away perfectly good and perfectly effective malware if they could help it," Kujawa says. "So you are going to see new features pushed into these tools to take advantage of vulnerabilities like Shellshock."

Although there might be new software developed to help attackers to scan for Shellshock vulnerabilities or to aid existing tools in exploiting them, don't expect a new family based on the Bash bug. Rahul Kashyap, chief security architect and head of security research for Bromium, says there are a number of logistical reasons why attackers are going to repurpose their kits.

"It's fairly easy to repackage the existing malware and bypass traditional security defenses, so there's not much real need to build the malware from scratch.  A popular malware strain is already QA'ed by many people in the past, so its reliability is already determined," Kashyap says, adding, "in cases like Mayhem which have established botnets, it makes reusing existing malware even more lucrative as now the existing botnet can get bigger and more powerful."

When it comes down to it, it is not only easier to repackage well-known malware to leverage new flaws like Shellshock, it just makes business sense, says Martin Lee, technical lead for threat intelligence within Cisco's Talos Team.

"The attackers' business model is to compromise new machines in any way they can. If a new vulnerability can help them do that, then you can be certain that they exploit this," Lee says.  

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
Robert McDougal,
User Rank: Ninja
10/17/2014 | 11:21:05 AM
Re: #First
It is disturbing to see this, but not unexpected.  This is the logical progression of the vulnerability.  The goal here is to breach the perimeter and then attempt to exploit shellshock from the inside.
User Rank: Apprentice
10/16/2014 | 1:16:05 AM
Please kindly mention our research entity's name
Please mention the entity's name of the "researchers" quoted in the article, we are called "Malware Must Die" at malwaremustdie.org

Thank you
User Rank: Apprentice
10/13/2014 | 9:53:45 PM
This was all only a matter of time. I was glad to see a BASH update hit my personal machine a few days after the anouncement.
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...