Shellshock Worm Exploiting Unpatched QNAP NAS Devices

A worm exploiting the Bash vulnerability in QNAP network attached storage devices has been discovered. The attack opens a backdoor and for now is carrying out a click-fraud scam against JuiceADV.

A worm exploiting network attached storage devices vulnerable to the Bash flaw is scanning the Internet for more victims.

The worm opens a backdoor on QNAP devices, but to date it appears the attackers are using the exploit to run a click-fraud scam, in addition to maintaining persistence on owned boxes.

“The goal appears to be to backdoor the system, so an attacker could come back later to install additional malware,” said Johannes Ullrich, head of the Internet Storm Center at the SANS Institute.

QNAP of Taiwan released a patch in October for the Bash vulnerability in its Turbo NAS products. Like many other vulnerable products and devices, owners may not be aware that Bash is present and exposed. Bash was among a litany of Internet-wide vulnerabilities uncovered this year; the flaw in Bash, or Bourne Again Shell, affects Linux and UNIX distributions primarily, but also Windows in some cases. Bash is accessed, often quietly, by any number of functions which makes comprehensive patching difficult even though all major Linux distributions and most vendors have issued patches.

Ullrich said the risks are significant to organizations running QNAP, which are used as shared drives or for backups or virtual machines.

“By having access to the QNAP device, an attacker may have access to an entire organizations infrastructure. It also provides a beachhead inside a company to attack additional resources,” Ullrich said. “Earlier this year, a similar exploit against Synology devices (a QNAP competitor) was exploited by ransom ware that went ahead and encrypted the device’s data.”

With Bash quietly invoked in functions, organizations may not be aware of the availability of a patch.

With Bash quietly invoked in functions, organizations may not be aware of the availability of a patch.

“Unless you log in to the admin interface of the device, you will not know that there is a patch waiting to be installed,” Ullrich said. “It does require a reboot of the device, which doesn’t take long, but if the device is for example used as an iSCSI target in a virtual environment, then all the virtual machines using it have to be taken down, or moved to a different device, which is complex and time consuming (and may result in a disruption of services from these virtual devices).”

The worm in question targets a QNAP CGI script /cgi-bin/authLogin.cgi, which has been targeted by Shellshock exploits in the past, a SANS Institute advisory said. The script can be accessed without authentication and the attackers in this case then launch a shell script capable of downloading additional malware.

“In order to exploit shellshock, the attacker needs to find a script that runs a bash command. This CGI script is not a bash script itself, but it calls bash to verify the users credentials (the script is used to log in the user),” Ullrich said. “So not only does it call a bash script, but it does so before the user is authenticated, so the attacker does not have to guess credentials.”

SANS published two hashes used in the attack, which uses a click-fraud script against the JuiceADV advertising network, which then uploads to ppoolloo[.]altervista[.]com.

“It is more a server used to receive the credentials from the infected system. It could allow the attacker later to figure out which systems are compromised and how to connect to them,”Ullrich said of the upload domain. “It is not a full-fledged command and control server in that it doesn’t appear to send any commands nor does the infected system poll for updates from this host. Right now, I don’t think that host is up anymore.”

The script also creates a hidden directory where it stores downloaded scripts and files. Once on a compromised machine, it sets the DNS server to and creates an SSH server on port 26.

“The DNS change is likely made to avoid logging and potentially blacklisting of any affected domains,” Ullrich said. “The SSH server is a second SSH server that is being launched, in addition to the normal SSH server on port 22. This second SSH server, and the additional user added to the system, provides the attacker with persistent access to the system.”

For additional persistence and exclusivity to compromised machines, the script also downloads and installs the Shellshock patch from QNAP.

“The attacker would like to maintain access to the system,” Ullrich said. “Any attacker can use the shellshock vulnerability and the ‘first’ attacker attempts to lock out additional attackers from taking control of the system.”

Suggested articles