New version of Mayhem exploiting Shellshock
Back in July, researchers at Yandex published their findings about a strain of malware specific to Linux and UNIX systems. The malware, called Mayhem, uses a PHP installation script, and is designed to be easily extendable to include extra modules. The extra modules can be downloaded when (and if) required by the malware. One of the modules is a password cracker. The password cracker utilises a brute force algorithm to guess passwords.
A new version of Mayhem designed to take advantage of the Shellshock exploit has now been observed. In the new version, the PHP script used has been re-written in Perl; the likely reason for the change to Perl is because Perl is far more widespread in its deployment on Linux and UNIX systems than PHP. The modular design employed by the creators of Mayhem meant that a Shellshock exploit would not have taken long to write.
Malware Must Die has called the new version of Mayhem “Mayhem Shellshock”. The details of the exploit are on the website, but briefly, the Mayhem Shellshock malware will first probe to see if the Shellshock vulnerability exists. If it does, then the vulnerable web server is sent a command that downloads the Perl installation script. From there, the script can download other modules including the password cracker. The malware can then scan other hosts to determine if they are also vulnerable.
Currently, the major source of the Mayhem Shellshock malware appears to be the USA, with 18 machines infected. The infected machines carry out the scanning and attacking, thus making it possible to trace via IP addresses. Malware Must Die also specifies an IP address in France that is believed to be the original source of the malware.
The bash Shellshock exploit was first publicly announced on September 24. It takes advantage of a flaw in the command line that allows an attacker to insert code into an environment variable. The chief exploits have targeted http servers. The initial patch was found to be incomplete, which led to further patches being released. Subsequently, more exploits were found which were also patched. It appears that the Shellshock bug has been around for 22 years, making it a longstanding bug.
At least half of all web servers use Linux as the operating system and Apache as the http server. Further, almost every Linux system uses bash and many UNIX systems also use bash. Many web servers could be vulnerable to attack.
Fortunately, patching of the bash vulnerability will eliminate the risk of infection by the latest version of Mayhem. The bash patches are fast and easy to deploy, with minimal impact to systems.