Yet another round of Shellshock attacks is emerging, according to the SANS Internet Storm Center – this time, botnets are tapping hosts over SMTP.
At the moment, the report is sparse, with the ISC diary post stating merely that Shellshock exploit attempts are travelling over the mail protocol because “the sources so far have all been webhosting providers”, leading to the obvious conclusion that “these are compromised systems”.
ISC describes the payload as an IRC DDoS bot written in Perl, with the “ability to fetch and execute further code”.
As Threatpost notes, Binary Defense Systems has taken a look at the details of the latest attack. The compromised systems try to spread the botnet infection with Shellshock attacks in “every main header field” (from, to, subject) to download the botnet script.
“The curl/wget/fetch/perl/lwp/etc methods are attempting to pull down a Perl-based botnet from the Jericho Security Team in order to to infect the SMTP gateway and add it to an existing botnet infrastructure”, BDS writes.
Ever since its discovery early in September, the Shellshock vulnerability has been the target of repeated exploits against different classes of machines. At the end of September, FireEye said its view of malicious traffic trying to leverage the Bash bug suggested large-scale attacks were on the way. ®