14 DAY TRIAL // A new malicious operation that seeks to enslave hosts vulnerable to the Shellshock bug for Bash, the default command shell found in many Linux and Unix systems, has been observed by security researchers this week.
Disclosed in late September 2014, Shellshock is a serious vulnerability that allows an attacker to execute arbitrary commands in Bash by appending them after a variable function.
The shell is used in numerous services open to the Internet, such as web servers, which makes the security flaw a significant one. By comparison, its impact rivals the one Heartbleed had.
Despite patches being available and extensive media coverage, the Shellshock fix has not been applied by all administrators, leaving their machines vulnerable to cyber attacks.
In mid-November 2014, threat actors were still scanning for vulnerable machines and were successful at compromising them. In December, they focused on QNAP NAS (network attached storage) devices and gained access to those that had not been patched.
Romanian actors possibly involved in the operation
It looks like cybercriminals started to scan for vulnerable machines again, as security researchers at Volexity observed on Wednesday a dramatic increase in frequency and breadth in searching for Internet devices that are still susceptible to Shellshock exploits.
The malware observed by the experts comes with script that has a list of 26,356 IP addresses which are used for scanning purposes with an ELF scanning binary.
“Based on the contents of the file, it appears to be a modified version of a file called mass.c referenced as sslvuln.c that was found on a Romanian website,” Steven Adair from Volexity wrote in a blog post.
The suspicion that Romanian actors were at least involved in modifying the components of the malware seems to be confirmed by a string in the binary that says “Nu Pot Deschide%,” which in English means “Can’t open it.”
Crooks slow down their activity
Once a vulnerable machine is found, it is compromised and added to the scanning network. A list with all the hosts that have been found to be vulnerable and those that have been infected is delivered to the attacker.
Adair says that the most reliable indicator of malicious activity is outbound communication to 109.228.25.87 IP address, which hosts a TAR archive with the necessary scripts for finding and infecting machines.
In an update to the original blog post, though, Adair says that the malicious files are no longer stored at 109.228.25.87 and that scanning appears to have toned down significantly.