Researchers at AlienVault Labs have run a honeypot and discovered two different malware infections that are trying to exploit the Bash Vulnerability. The one is an IRC bot, which was not specifically created for the Bash vulnerability; instead it has been repurposed to build a botnet for a DDoS attacks. The number of victims is 715 so far. The experts have discovered fragments of the code written in Romanian.
The other malware’s function is to download and execute an ELF binary, which aims to steal configuration data and system information from the compromised computer. This piece of malware is also a bot, a sample of which reportedly tries to start a connection with a C&C server on 89[.]238[.]150[.]154 on port 5. But this server is down.
The commands that the malware supports include UDP, JUNK and TCP flood. It is also supplied with a list of probable default combinations of usernames and passwords witch the researchers suspect, may be used in brute-force attacks. The experts are trying to figure out how exactly the malware spreads but they have no idea so far.
The Bash vulnerability was recently announced. Bash is the command line shell for most Mac OS X, UNIX and Linux systems. Numerous hidden functions on the mentioned systems may call Bash and thus make it even more difficult to assess and patch vulnerable web servers and embedded devices. Red Hat, CentOS, Ubuntu, Debian and others have distributed patches for Bash as quickly as possible, but, unfortunately, the first round was reported to be incomplete.
A researcher going by the nickname Yinette reported another exploit that also tried to build a DDoS botnet. It is still not clear if it is somehow connected to either of the malware pieces discovered by AlienVault.
In the AlienVault researchers’ opinion, the hackers can install basically any type of malware and steal any kind of data from servers. Specialists see enormous potential in the bug and expect things to get much worse. For example, if someone happens to discover an exploit vector on software that is used on the Web. Apparently there are vulnerable cPanel websites. cPanel users are urged to patch their servers as quickly as possible.
→cPanel is a Linux based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. (Wikipedia definition)
The results of an Internet scan conducted by security firm Securi show that 2.9% of websites are vulnerable and easy to compromise. Experts believe that Bash will most probably target large hosting providers, PHP-based forums, stores, blogs, etc. Large organizations are advised to consider monitoring and make sure that the company devices are not used as hosts for phishing campaigns.