Honeypot Snares Two Bots Exploiting Bash Vulnerability

Two malware samples trying to exploit the Bash vulnerability, both DDoS bots, were snared in a honeypot belonging to AlienVault Labs.

A honeypot run by researchers at AlienVault Labs has snared two separate pieces of malware attempting to exploit the Bash vulnerability.

One sample is a repurposed IRC bot written in Perl that is trying to build a botnet to be used in distributed denial of service attacks (DDoS), said Jaime Blasco, director of AlienVault Labs. So far, he said, there are 715 victims and there are phrases written in Romanian in the source code.

“Those pieces of malware are really repurposed from previous attacks; they didn’t create them for this specific vulnerability,” Blasco said. “They just updated pieces of code to infect the system. We still need to know the attack vector.”

The other piece of malware downloads and executes an ELF (Executable and Linkable) binary that tries to steal system information from the compromised machine, including configuration data. It too is a DDoS bot, Blasco said. The sample tries to open a connection to a command and control server on 89[.]238[.]150[.]154 on port 5, but that server is down, Blasco said.

The malware supports a number of commands, including JUNK, UDP and TCP flood. It also comes packaged with a list of possible default username-password combinations, most likely to be used in brute-force attacks. Another sample on the same server, Blasco said, is similar except that it connects to 162[.]253[.]66[.]76 on port 53.

“We have been researching [how the malware spreads] but still don’t know,” Blasco said. “A lot of systems are vulnerable to Bash, but that doesn’t mean they are exploitable.

“The reason we set this up is because we knew this was going to happen,” he added. “We predicted more or less this type of malware attacks to launch DDoS.”

The Bash vulnerability was disclosed yesterday; Bash is the default command line shell for most Linux, UNIX and Mac OS X systems, and many hidden functions on these systems may call Bash, increasing the difficulty of assessing and patching vulnerable web servers and embedded devices.

Patches for Bash were quickly distributed by Red Hat, Ubuntu, CentOS, Debian and other Linux distributions, but this morning, reports were coming from Red Hat and others that the first round of patches were incomplete and updates were forthcoming.

Another exploit was reported this morning by a researcher going by the handle Yinette that was also trying to build a DDoS botnet. It is unclear whether this is related to either piece of code seen by AlienVault.

“With this malware, they can basically do what they want,” Blasco said. “Usually people use this for DDoS, but you can install virtually any other malware or steal information from servers and send more commands.”

While still in the early stages of the Bash saga, said the bug has the potential to get much worse.

“It depends if someone finds an exploit vector on a piece of software that’s highly used on the Internet,” Blasco said. “I heard there are some vulnerable cPanel sites.”

CPanel is a Linux-based web hosting control panel used for remote website administration. Security firm Securi reported today that an Internet scan it conducted found that 2.9 percent of sites were vulnerable.

“When we talk about millions of websites online, 2.9 percent is a lot,” said researcher Daniel Cid in a blogpost. “Just from our investigation, we found thousands of websites vulnerable and easily compromised. If you are using cPanel, you have to patch your servers right away.”

Dan Ingevaldson, CTO at Easy Solutions and one of the early members of the ISS X-Force at Internet Security Systems, said Bash is a bad combination of trouble for vulnerable systems: high impact, ease of exploit, low access complexity.

“The most obvious initial targets will be large hosting providers, which are riddled with bash-enabled administrative functions, as well as innumerable PHP-based forums, blogs, stores, etc. that will most likely contain some kind of bash-related vulnerability,” Ingevaldson said. “Everyone should watch their logs carefully—this exploit is noisily and easily logged—and patch as soon as possible. In addition, given the risk that the patches may not be effective, organizations should consider monitoring to ensure their devices are not being used to host phishing or other attacks.”

Suggested articles