Spread of Linux botnet Mayhem through Shellshock Vulnerability

Source: Internet
Author: User

Spread of Linux botnet Mayhem through Shellshock Vulnerability

The impact of Shellshock continues: attackers are exploiting the vulnerability found in the recent Bash command line interpreter to infect Linux servers through the complex malware program Mayhem.

Mayhem was found earlier this year to have been thoroughly analyzed by the Russian Internet company Yandex. The malware is installed using a PHP script that is uploaded to the server by attackers infected with FTP passwords, website vulnerabilities, or brute-force cracking of website management logon creden.

The main component of Mayhem is a malicious ELF library file. After installation, this file downloads additional plug-ins and stores them in a hidden encrypted file system. These plug-ins allow attackers to use newly infected servers to attack and infect other websites.

In February July, Yandex researchers estimated that the botnet had approximately 1400 infected servers linked to two independent command control servers.

Researchers from the independent research company Malware Must Die (MMD) reported earlier this week that Mayhem writers have added the Shellshock vulnerability to exploit the botnet's weapons library.

Shellshock is a general term for multiple vulnerabilities recently discovered in the LinuxBash command line interpreter. These vulnerabilities can be exploited to execute remote code on the server. through several attack vectors, including CGI (Public Gateway Interface), OpenSSH, and DHCP (Dynamic Host Configuration Protocol ), in some cases, there may even be OpenVPN.

According to researchers at MMD, The Shellshock attack originating from the Mayhem botnet targets web servers with CGI support. Botnets detect whether web servers are vulnerable to Bash attacks and then use them to execute Perl scripts.

The script has a malicious Mayhem ELF binary file for 32-bit and 64-bit CPU architectures. These architectures are embedded as hexadecimal data and use the LD_PRELOAD function to extract and run them.

Like previous versions, it creates a hidden file system to store its additional components and plug-ins. These tools can be used to scan and attack other systems. MDL researchers believe that a component in these components has been upgraded to exploiting the new Shellshock vulnerability, but has not yet been confirmed.

However, this theory is not a plug-in. It turns out that some of the observed Shellshock attacks are originated from the IP (Internet Protocol) addresses related to the existing Mayhem botnet, in addition to new IP addresses from the UK, Indonesia, Poland, Austria, Australia, and Sweden. MMD has shared the information it has collected to the National Computer Emergency Response Team (CERTs ).

Most Linux distributions have released patches to fix the Shellshock vulnerability. However, many web servers, especially self-managed servers, have not been configured to automatically deploy updates. Many Linux-based enterprise products and embedded devices, including web servers, are vulnerable to the Shellshock vulnerability. If these products do not have patches installed or are not available, they may all become targets of attacks.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.