Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

BASHLITE Malware Uses ShellShock to Hijack Devices Running BusyBox

Malware Using Shellshock Vulnerability

Malware Using Shellshock Vulnerability

A new version of the BASHLITE malware is designed to scan compromised networks for devices that use BusyBox and attempts to gain control of them by leveraging the recently disclosed GNU Bash vulnerability referred to as ShellShock.

The first variant of BASHLITE, detected as ELF_BASHLITE.A (ELF_FLOODER.W), was spotted by Trend Micro shortly after the existence of the ShellShock bug came to light. The threat, which was the payload of the ShellShock exploit code, had been used to launch distributed denial-of-service (DDoS) attacks.

ELF_BASHLITE.A checked to see if infected devices were running BusyBox, a set of programs needed to run a Linux system. BusyBox is designed for embedded operating systems such as the ones running on routers.

A newer version of BASHLITE spotted by Trend Micro researchers (ELF_BASHLITE.SMB) is designed not only to identify systems running BusyBox, but to also hijack them.

The malware first scans the network for BusyBox devices and attempts to access them by using a predefined list of usernames and passwords. The list of passwords includes “root,” “admin,” “12345,” “pass,” “password” and “123456.”

“Once a connection is established, it runs the command to download and run bin.sh and bin2.sh scripts, gaining control over the Busybox system,” Rhena Inocencio, threat response engineer at Trend Micro, wrote in a blog post on Thursday. “Remote attackers can possibly maximize their control on affected devices by deploying other components or malicious software into the system depending on their motive.”

Trend Micro advises administrators to make sure they change the default credentials on their network devices and disable remote shell if possible.

The ShellShock vulnerability was disclosed on September 24 and by September 30 security firms estimated that attacks using the exploit could top 1 billion. In mid-October, researchers reported that the Linux botnet known as Mayhem was also leveraging ShellShock to expand.

Advertisement. Scroll to continue reading.

In the month following the disclosure of the flaw, several high-profile companies started releasing software updates to patch their products. However, as expected, many systems remain unpatched, allowing cybercriminals to abuse them.

Earlier this week, the cross-browser testing service BrowserStack revealed that cybercriminals breached an unpatched server using ShellShock and ultimately gained access to customer information. The hackers obtained email addresses which they used to tell customers that the service was shutting down.

 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...