The experts at SANS Internet Storm Center experts discovered a a new Shellshock Botnet campaign that is targeting SMTP gateways worldwide.
A new wave of attacks exploiting the ShellShock flaw is targeting the SMTP servers worldwide, according to a post published by the SANS Internet Storm Center. The SANS explained that the payload is an IRC Perl bot with simple DDoS commands that could be used to fetch and execute additional malicious code.
The new Shellshock campaign is targeting SMTP gateways, searching for vulnerable MTAs / MDAs, the attackers use to hide the malicious code into the message’s headers.
The attackers are including the following code in several message fields, including the “To:” field, “From:” field, “Subject” field, “Date:” field, “Message ID:” and others.
The Shellshock vulnerability is continuing to create problems more than a month after it was publicly disclosed, threat actors are exploiting the BashBug vulnerability to serve a malicious a perl script onto targeted machines.
The script is used by attackers to recruit the computer in a botnet that receives is controlled over IRC, said a post on the Binary Defense Systemswebsite.
“The attack leverages Shellshock as a main attack vector through the subject, body, to, from fields,” is reported on the Binary Defense Systemswebsite. “Once compromised, a perl botnet is activated and beaconing on IRC for further instructions.”
In the following image is reported the original email used in the attacks and containing the initial ShellShock payload:
“It’s unknown which product would specifically be vulnerable to this since Shellshock relies on system level calls and leveraging bash however it seems to be a fairly wide-scale delivery of emails across the United States,” BDS added.
Security experts have detected numerous attacks worldwide that were exploiting the Shellshock flaw, including attacks against VOIP systems and campaign to spread the malware like the Mayhem botnet.
A honeypot run by experts at AlienVault Labs has detected two separate strains of malware attempting to exploit the ShellShock vulnerability just 24 hours of the disclosure.
In September, security experts at researchers at FireEye published details on several proof-of-concept scripts which exploit the Shellshock bug.
“We suspect bad actors may be conducting an initial dry run, in preparation for a real, potentially larger-scale attack. We believe it’s only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise,” FireEye wrote.
As explained many times, many hidden functions on Linux/Unix-based systems could be affected because they may invoke the flawed Bash, it is quite complex to patch the overall amount of the vulnerable machine in a short time, and cyber criminals know this.
The situation is particularly critical for the Internet of Thinks devices, for which in many cases isn’t available an upgrade or it is impossible to apply any update.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.