Security Experts:

ShellShock Exploits Used in Expansion of 'Mayhem' Linux Botnet

Cybercriminals are expanding the Linux botnet dubbed "Mayhem" by leveraging the recently discovered vulnerabilities in the GNU Bash shell, according to researchers.

The Mayhem malware, a multipurpose threat targeting Linux and UNIX Web servers, was first analyzed in May by the Malware Must Die research group. In July, researchers at the Russian Internet company Yandex published a detailed paper on the botnet. Based on data from two command and control (C&C) servers, the experts identified roughly 1,400 compromised machines.

Malware Must Die has been monitoring the botnet and found that cybercriminals are currently attempting to expand it with the aid of ShellShock, the set of Bash flaws that can be leveraged to execute arbitrary code on affected servers.

According to researchers, the attackers first scan servers to see if they are vulnerable to ShellShock. When a vulnerable device is found, the Bash bug is exploited to download a malware installer written in Perl. In the past, this installer was a PHP script, Malware Must Die pointed out.

Once the threat is installed on a system, it creates a hidden file system where it stores its components, including the plugins it uses to carry out tasks such as brute-force attacks and data theft.

As of October 11, Malware Must Die had identified a total of 53 IP addresses involved in such attacks, with 25 of them located in the United States. The attacks have been traced back to a total of 23 countries.

"These attacker IPs are the combination between (known) Mayhem bots we monitor and unknown sources (including the suspected possibility of new panels/CNC/bots)," Malware Must Die wrote in a blog post.

"Many of today's enterprises have adopted public cloud-based services that run on systems that can be infected by Mayhem, but the enterprise has no visibility into whether servers have been patched, no ability to dictate patch schedules, and no visibility into whether exploits of Mayhem have resulted in theft of their data or user credentials," Rich Campagna, VP of products at Bitglass, told SecurityWeek. "The operational benefits of moving to the public cloud are not without tradeoffs for the enterprise, specifically loss of security and visibility. Enterprises must keep in mind that outsourcing an application to the cloud does not mean that they have outsourced responsibility for protection of their data."

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.