report / Oct 10, 2014

Shellshock: Malicious Bash, Obfuscated perlb0t, Echo Probes, and More

by Maxim Zavodchik, Oz Elisyan

Shellshock can take advantage of HTTP headers as well as other mechanisms to enable unauthorized access to the underlying system shell, Bash. The Shellshock attack takes advantage of a flaw in Bash that enables attackers to execute remote commands that would ordinarily be blocked. It's been rated the highest risk possible because remote command execution is potentially very, very dangerous.

Once the "Shellshock" vulnerability opened the door to run arbitrary commands on any CGI server out there, different entities tried to realize their diverse intentions.

The magic string which opened this door in almost all the cases was the:

() { :;};

A variation of this was entering a single word within the curly brackets instead of the "no operation" keyword:

() { foo;};

In some very rare cases it might look like this:

() {echo "Hello World";};

Although the exploit may be delivered in different HTTP headers (the ones the CGI is converting to the environment variables), "User-Agent" is used in most of the cases.

From our observations, the payload that is delivered (the actual commands that are executed) once the vulnerability is exploited has several intentions. The simplest are the "echo" probes, just sending a vector containing a certain string and expecting to see it in server's response, or the "ping back" probes, injecting ping command and expecting to see the server pinging them. Usually, these are the scanners indexing the vulnerable servers out there. Others send shell commands, mostly for information gathering, such as "uname" or "id" commands, while there might be more aggressive vectors reading sensitive files, such as "/etc/shadow" or creating dummy files on the file system.

However, the most severe threats are those which open a back door or completely compromise the server. Those attacks have a very familiar payload fingerprint. These are the same cyber-criminals who are constantly running their operations on the web, hunting for vulnerable webservers, and the "Shellshock" is a fresh opportunity to expand their army of zombie machines.

These serious exploits usually deploy the "Kaiten" (AKA "Tsunami") bot or variations of the "perlb0t" making it part of a DDoS business scheme.

To see the full version of this report, click "Download" below.

MODIFIED: Feb 22, 2017

Tags: , ,
stay up to date

Get the latest application threat intelligence from F5 Labs.

There was an error signing up.
Thank you, your email address has been signed up.

Follow us on social media.