A new BASHLITE variant infects devices running BusyBox

Pierluigi Paganini November 16, 2014

A new variant of the BASHLITE malware exploiting the ShellShock vulnerability was used by cyber criminals to infect devices that use BusyBox software.

A new strain of the BASHLITE malware was detected by experts at Trend Micro shortly after the public disclosure of the ShellShock bug.

The malware, named ELF_BASHLITE.A (ELF_FLOODER.W), includes the payload of the ShellShock exploit code and it had been used by threat actors to run distributed denial-of-service (DDoS) attacks.

The new variant of the ELF_BASHLITE.A is able to infect devices were running BusyBox, a software that provides several Unix tools in a single executable file. BusyBox is specific embedded operating systems. Many routers and other network appliances run the software to advantage maintenance activities.

“we observed that recent samples of BASHLITE (detected by Trend Micro as ELF_BASHLITE.SMB) scans the network for devices/machines running on BusyBox, and logs in using a set of usernames and passwords (see figure 4 below). Once a connection is established, it runs the command to download and run bin.sh and bin2.sh scripts, gaining control over the Busybox system.” Rhena Inocencio, threat response engineer at Trend Micro, wrote in a blog post

The new variant of the BASHLITE malware is able to identify systems running BusyBox software and hijack them. The attack scenario is very simple, the malicious code first scans the network searching for the application and attempts to access them by using a set of credentials from a predefined dictionary. The list of passwords includes “root,” “admin,” “12345,” “pass,” “password” and “123456.”

bashlite busy passwords


Once the malware has gained the access to the software, it runs the command to download and run a couple of scripts bin.sh and bin2.sh scripts, to gaining control over the Busybox system.

“Once a connection is established, it runs the command to download and run bin.sh and bin2.sh scripts, gaining control over the Busybox system. BusyBox is built on top of the Linux kernel and used by small devices such as routers. Remote attackers can possibly maximize their control on affected devices by deploying other components or malicious software into the system depending on their motive.”

Trend Micro invites administrators to change the default settings for their network devices and disable remote shell, if possible, to avoid its exploitation.

In October, experts at The Malware Must Die detected numerous attack worldwide exploiting the Bash Bug flaw to spread the Mayhem botnet.

The experts sustain that attacks using the exploit could top 1 billion in a short time, for this reason principal IT firms started releasing software updates to patch their solution and avoid the exploitation of the ShellShock flaw.

Unfortunately, there are many reasons that could hinder the patching of many systems that remain vulnerable to this kind of attack.

Last illustrious victim in order of time was BrowserStack, the cross-browser testing service; one of its servers was compromised using a ShellShock exploit that allowed attackers to access customer data.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  ShellShock, BASHLITE)

you might also like

leave a comment