Linux botnet ‘Mayhem’ spreads through Shellshock exploits - fieldsbespoormsed

Shellshock continues to rebound: Attackers are exploiting recently discovered vulnerabilities in the Bash command-line interpreter in rank to infect Linux servers with a sophisticated malware program known as Mayhem.

Mayhem was discovered earlier this class and was thoroughly analyzed by researchers from Russian Internet firm Yandex. It gets installed through a PHP script that attackers upload on servers via compromised FTP passwords, website vulnerabilities or brute-forced site governance credentials.

Mayhem's main component is a malicious ELF (Feasible and Linkable Format) program library file that, after installation, downloads additional plug-ins and stores them in a hidden and encrypted file scheme. The plug-ins enable attackers to exercise the fresh infected servers to attack and compromise extra sites.

In July, the Yandex researchers estimated that the botnet consisted of around 1,400 infected servers that connected to ii separate command-and-control servers.

Researchers from nonsymbiotic research outfit Malware Mustiness Break (MMD) reported earlier this calendar week that Mayhem's authors have added Shellshock exploits to the botnet's armory.

Shellshock is the collective name for several vulnerabilities discovered recently in the Linux Bash require-line interpreter. They can be exploited to achieve remote code execution on servers through with several attack vectors including the CGI (Commons Gateway Interface), OpenSSH, DHCP (Dynamic Host Constellation Protocol) and even OpenVPN in some cases.

Symantec

A Symantec infographic explaining how the Shellshock Bash case vulnerability works.

The Shellshock attacks originating from the Havoc botnet target Web servers with CGI supporting. The bots probe World Wide Web servers to determine if they'rhenium vulnerable to the Sock flaws and past exploit them to execute a Perl script, according to the MMD researchers.

The script has the malicious Havoc ELF binary files for both 32-bit and 64-moment CPU architectures enclosed into it as hexadecimal data and uses the LD_PRELOAD social occasion to extract and run them on the organization, the researchers same in a blog post.

Like the early version, information technology creates a invisible file system of rules where information technology stores its additional components—fire hydrant-Immigration and Naturalization Service—that are used for various types of scanning and attacks against other servers. The MDL researchers suspect that one of those components has been updated to practice the new Shellshock exploits, but haven't confirmed it yet.

However, this hypothesis is founded by the fact that some of the observed Shellshock attack attempts undergo originated from Information processing (Cyberspace Communications protocol) addresses associated with existing Havoc bots in addition to new IP addresses from a multifariousness of countries including the U.K., Indonesia, Poland, Austria, Australia and Sverige. MMD has shared the information information technology has gathered with domestic electronic computer emergency response teams (CERTs).

Most Linux distributions have issued patches for the Shellshock vulnerabilities already, but galore Web servers, especially self-managed ones, are not designed to deploy updates automatically. Thither are also many Linux-settled enterprise products and integrated devices that include Web servers and are vulnerable to Shellshock. These can besides be a target if patches for them haven't been deployed or are not up to now available.

Source: https://www.pcworld.com/article/435787/linux-botnet-mayhem-spreads-through-shellshock-exploits.html

Posted by: fieldsbespoormsed.blogspot.com

Share this post