Friday, 31 October 2014

shellshock-bash-bug
Shellshock or Bash Bug

IT Security Lab Trend Micro has recently discovered another ShellShock attack or Bash Bug which mainly targets SMTP servers. The special thing about the attack is that it uses emails to spread the exploit. 

If the exploit code is executed successfully on a vulnerable SMTP server, It will start downloading  an IRC bot known as “JST Perl IrcBot” and execute it. To remain undetected, it will automatically delete itself.

Must Read: Verizon Tightens Its Cyber Security by Adding FireEye Tools


shellshock-bash-bug
How Does the attack work (Image by Trend Micro)

How Does it Work?

There are some step by step method to successfully perform the attack. To to that 
  • The attacker will create a custom email with Shellshock malicious code inserted in the Subject, From, To and CC fields.
  • Then the email will be sent to any SMTP(Simple Mail Transfer Protocol) server
  • When a vulnerable SMTP mail server receives this malicious email, the inserted Shellshock payload will be executed and an IRC bot will be downloaded and executed. At the same time a connection with the IRC server will also be established.
  • Voila ! the attacker then easily can perform spam run, DDos Attack, send mail, scan ports, download files from URLs or run UNIX commands.
Must Read: *NIX OS FTP Client is Vulnerable To Remote Command Execution

Possible Vulnerable Mail Servers

  • qmail Message Transfer Agent
  • exim MTA ( version <4)
  • PostFix using procmail (a Message Delivery Agent,used for shorting & filtering of incoming mails). 

IRC Bots Sources

According to Trend Micro report, the malicious email carrying the Shellshock payload will download the IRC Bots from the following URLs. Most of the IRC Bots are written in Perl.
  • hxxp://{BLOCKED}.{BLOCKED}.31.165/ex.txt
  • hxxp://{BLOCKED}.{BLOCKED}.251.41/legend.txt
  • hxxp://{BLOCKED}.{BLOCKED}.175.145/ex.sh
ex.txt and ex.sh are the same file but with different file extensions, Trend Micro reports.They have identified as much as 44 IRC Bots till now.

Victim Countries

The attacks are mainly being noticed in Taiwan and Germany followed by US with 16% attack rate.

 Necessary Steps

 Trend Micro recommends IT administrators to block all related IPs and domains related to this attack.

Source: Trend Micro

2 comments:

  1. Hi Clients!

    We have the fresh and valid USA ssn leads and dead fullz
    99% connectivity with quality
    *If you have any trust issue before any deal you may get few to test
    *Every leads are well checked and available 24 hours
    *Fully cooperate with clients

    *Format of Fullz/leads/profiles
    °First & last Name
    °SSN
    °DOB
    °(DRIVING LICENSE NUMBER)
    °ADDRESS
    (ZIP CODE,STATE,CITY)
    °PHONE NUMBER
    °EMAIL ADDRESS
    °REFERENCE DETAILS
    °BANK ACCOUNT DETAILS

    ****Contact Me****
    *ICQ :748957107

    *Gmail :taimoorh944@gmail.com

    lead cost $2 for each
    Price can be negotiable if order in bulk

    *please contact soon!
    *I hope a long term deal
    *Thank You

    ReplyDelete
  2. Hello all
    am looking few years that some guys comes into the market
    they called themselves hacker, carder or spammer they rip the
    peoples with different ways and it’s a badly impact to real hacker
    now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
    Anyone want to make deal with me any type am available but first
    I‘ll show the proof that am real then make a deal like

    Available Services

    ..Wire Bank Transfer all over the world

    ..Western Union Transfer all over the world

    ..Credit Cards (USA, UK, AUS, CAN, NZ)

    ..School Grade upgrade / remove Records

    ..Spamming Tool

    ..keyloggers / rats

    ..Social Media recovery

    .. Teaching Hacking / spamming / carding (1/2 hours course)

    discount for re-seller

    Contact: 24/7

    fixitrogers@gmail.com

    ReplyDelete