14 DAY TRIAL // Two malware pieces have been discovered in the wild, taking advantage of the newly discovered vulnerability in Bash, the default command interpreter for Linux, both of them used for conducting distributed denial-of-service (DDoS) attacks.
One of the threats is an IRC bot that appears to have been adapted to leverage the Bash bug dubbed Shellshock, and the attackers behind it are Romanian speakers.
Researchers from Alien Vault captured the two pieces of malware through their honeypots, which were added a module specifically for attacks relying on the Shellshock bug.
ELF binary has hard-coded list of usernames and passwords
One of the threats detected by the researchers is an ELF binary (Executable and Linkable Format) that offers malicious actors the possibility to use the infected machine in DDoS attacks.
Director of AlienVault Labs, Jaime Blasco, said that once the binary is executed, it would try to obtain details about the affected system, including the number of CPUs and the network configuration.
All the information would then be sent to a command and control (C&C) server located in the United Kingdom. Among the commands available in the malware there are JUNK, UDP and TCP flood.
It appears that the attackers prepared the threat for brute-force attacks too, as they also included a list of common usernames and passwords.
Another sample of the same threat has also been caught by the security researchers, with the difference that it attempted connection to a different C&C server.
PERL-based IRC bot makes more than 700 victims
The other malicious file hitting the AlienVault honeypots is an IRC bot written in PERL that connects to an IRC server and waits for commands from the attackers. This is also used for creating a denial-of-service condition on a target.
Initially, researchers found 715 users connected to the server, but the number increased with 20 more connections later on.
After victims join the IRC server, “the attackers are executing the command ‘uname -a’ to determine the operating system that is running on the victim as well as ‘id’ to check the current username,” Blasco says in a blog post.
Judging by the messages on the IRC channel, AlienVault concluded that the attackers were Romanian speakers.
These are not the first signs of the Shellshock vulnerability (CVE-2014-6271) being exploited in the wild, as reports from Sucuri and other researchers confirm that attacks taking advantage of it increase at a fast rate as far as web servers are concerned.
Online tools are already available for checking whether the websites are susceptible to the Shellshock attack.
Moreover, DDoS botnets trying to use this bug have been observed in the wild by Blue Coat security firm, according to Waylon Grange.
Patches are available for Ubuntu (14.04 LTS, 12.04 LTS and 10.04 LTS), CentOS (5 through 7) and Debian, and users are strongly advised to apply them as soon as possible.