The Mayhem malware piqued researchers’ interest earlier this summer after a published report from researchers at Russian search engine Yandex shed light on its ability to target Linux and UNIX machines and run under restricted privileges.
Generally, web servers are well guarded against remote exploits and attempts to gain shell. Mayhem bots try to break that mold by using a number of plug-ins once it establishes backdoor communication with a centralized server to circumvent any controls in place.
The bots carry a PHP script that drops a malicious object that connects with a command server. The command server can then send down eight plug-ins that include commands for brute-force password cracking, data exfiltration, file requests and finding other servers vulnerable to remote file inclusion.
Considering its hunger for *NIX systems, it’s no surprise that attackers have begun leveraging the Shellshock vulnerability in Bash to propagate Mayhem.
Researchers at Malware Must Die published a report this week that they detected a number of Linux and UNIX systems were infected by several IP addresses belonging to the Mayhem botnet. The bots were pinging Internet-facing systems looking for the Bash vulnerability and once a scan hit paydirt, a new remote installer written in Perl instead of PHP was dropped onto vulnerable machines.
“We [were] afraid this wave will come during the ‘shellshock,’ and it did,” the researchers wrote, adding that an ELF .so malware library is dropped on infected machines. “The .so binaries will be loaded in memory by LD-PRELOAD and stay resident to perform the further botnet operation.”
The Malware Must Die report includes a list of IP addresses belonging to the botnet scanning for other vulnerable servers, as well as the IP address of the host serving the Mayhem Perl installer. Most of the scanning and attacking IP addresses are in the United States, with others scattered in 18 other countries.
“If Mayhem botnet uses shellshock, and this is a very serious threat, please work and cooperate together in good coordination in order to stop the source of the threat,” the report said.
Shellshock has been actively exploited since it was disclosed Sept. 24. Analysis into the vulnerability and Bash behavior once it was patched gave birth to a half-dozen vulnerabilities in all, each with a different degree of severity.
With Bash, the default command line shell in Linux, UNIX and Mac OS X machines, the vulnerability is present in countless number of installations that must be patched. Major vendors such as Apple, VMware and leading Linux distributions have already pushed—in some cases, multiple—patches.
The vulnerability in Bash, also known as the Bourne Again Shell, allows an attacker to remotely drop executable code by exploiting a weaknesses in environment variables in Bash. The internal parser that is invoked by Bash will parse code well beyond a defined end of a function, meaning that if an attacker can find a vulnerable installation and append executable code to an environment variable, the web server will execute whatever code is attached.