![]() |
| Shellshock or Bash Bug |
IT Security Lab Trend Micro has recently discovered another ShellShock attack or Bash Bug which mainly targets SMTP servers. The special thing about the attack is that it uses emails to spread the exploit.
If the exploit code is executed successfully on a vulnerable SMTP server, It will start downloading an IRC bot known as “JST Perl IrcBot” and execute it. To remain undetected, it will automatically delete itself.
Must Read: Verizon Tightens Its Cyber Security by Adding FireEye Tools
![]() |
| How Does the attack work (Image by Trend Micro) |
How Does it Work?
There are some step by step method to successfully perform the attack. To to that
- The attacker will create a custom email with Shellshock malicious code inserted in the Subject, From, To and CC fields.
- Then the email will be sent to any SMTP(Simple Mail Transfer Protocol) server
- When a vulnerable SMTP mail server receives this malicious email, the inserted Shellshock payload will be executed and an IRC bot will be downloaded and executed. At the same time a connection with the IRC server will also be established.
- Voila ! the attacker then easily can perform spam run, DDos Attack, send mail, scan ports, download files from URLs or run UNIX commands.
Possible Vulnerable Mail Servers
- qmail Message Transfer Agent
- exim MTA ( version <4)
- PostFix using procmail (a Message Delivery Agent,used for shorting & filtering of incoming mails).
IRC Bots Sources
According to Trend Micro report, the malicious email carrying the Shellshock payload will download the IRC Bots from the following URLs. Most of the IRC Bots are written in Perl.
- hxxp://{BLOCKED}.{BLOCKED}.31.165/ex.txt
- hxxp://{BLOCKED}.{BLOCKED}.251.41/legend.txt
- hxxp://{BLOCKED}.{BLOCKED}.175.145/ex.sh
ex.txt and ex.sh are the same file but with different file extensions, Trend Micro reports.They have identified as much as 44 IRC Bots till now.
Victim Countries
The attacks are mainly being noticed in Taiwan and Germany followed by US with 16% attack rate.
Necessary Steps
Trend Micro recommends IT administrators to block all related IPs and domains related to this attack.
Source: Trend Micro


Hi Clients!
ReplyDeleteWe have the fresh and valid USA ssn leads and dead fullz
99% connectivity with quality
*If you have any trust issue before any deal you may get few to test
*Every leads are well checked and available 24 hours
*Fully cooperate with clients
*Format of Fullz/leads/profiles
°First & last Name
°SSN
°DOB
°(DRIVING LICENSE NUMBER)
°ADDRESS
(ZIP CODE,STATE,CITY)
°PHONE NUMBER
°EMAIL ADDRESS
°REFERENCE DETAILS
°BANK ACCOUNT DETAILS
****Contact Me****
*ICQ :748957107
*Gmail :taimoorh944@gmail.com
lead cost $2 for each
Price can be negotiable if order in bulk
*please contact soon!
*I hope a long term deal
*Thank You
Hello all
ReplyDeleteam looking few years that some guys comes into the market
they called themselves hacker, carder or spammer they rip the
peoples with different ways and it’s a badly impact to real hacker
now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
Anyone want to make deal with me any type am available but first
I‘ll show the proof that am real then make a deal like
Available Services
..Wire Bank Transfer all over the world
..Western Union Transfer all over the world
..Credit Cards (USA, UK, AUS, CAN, NZ)
..School Grade upgrade / remove Records
..Spamming Tool
..keyloggers / rats
..Social Media recovery
.. Teaching Hacking / spamming / carding (1/2 hours course)
discount for re-seller
Contact: 24/7
fixitrogers@gmail.com