'Mayhem' Malware Exploits Shellshock

Unix Servers Under Fire, But Attackers' Goals Unclear
'Mayhem' Malware Exploits Shellshock

Malware known as "Mayhem" that targets Unix and Linux systems has been updated to exploit Shellshock flaws. But while the malware has been tied to a long-running campaign that's compromised numerous servers and PCs, security experts say they still don't know attackers' ultimate aims.

See Also: How to Keep Your Endpoints Safe from Cybercrime

That Mayhem warning is being sounded by a group of anti-malware crusaders who call themselves "Malware Must Die." They say the updated malware, which they've dubbed "Mayhem Shellshock," is being used for in-the-wild attacks.

While the purpose of the attacks isn't clear, Evgeny Sidorov, a researcher at Russian Internet firm Yandex, tells Information Security Media Group the tool is now being sold in underground forums for anyone who wants to build their own Mayhem botnet.

Malware Must Die has been publishing information related to the malicious infrastructure that's being used to target Unix systems. "This is a very serious threat, please work and cooperate together ... to stop the source of the threat," the group says in a blog post.

"This threat has the potential to become a major issue," says Gregory Lindor, a malware analyst with the cloud services firm Akamai. "Not only does the Mayhem malware exhibit some advanced features for Linux malware, but the possibility for infection using the Shellshock bug can greatly improve its ability to propagate into more systems than has been seen in its previous campaigns."

Shellshock refers to flaws that have been found in the Bash command-line interface that's used in many flavors of the Unix operating system, including Linux and Mac OS X. Security experts have warned that more than half a billion Web servers run Linux-based Apache and are at risk from Shellshock attacks, unless they've been patched. Furthermore, given the ubiquity of systems that run Bash, security experts are warning that Shellshock battle could go on for years (see Why Shellshock Battle Is Only Beginning).

Mayhem Botnets Target U.S.

Mayhem was first discovered in April and documented in a July report published by three Yandex researchers, who described it as "a new kind of malware for [Unix/Linux] Web servers that has the functions of a traditional Windows bot, but which can act under restricted privileges in the system." In other words, the malware can still do malicious things even in heavily locked-down server environments, and without admin credentials.

At the time, the researchers reported finding two different Mayhem botnets comprising - respectively - 1,110 and 300 Unix-flavor systems, or bots. "At the time of the analysis, bots from both botnets were used to brute-force [guess] WordPress passwords," they said, noting that the greatest number of bots were located in the United States, followed by Russia, Germany and Canada.

The original version of the Mayhem malware used a PHP script to compromise machines, they said. Once a server was infected, the script could download up to eight additional modules that provided more functionality, such as the ability to install itself on other systems by exploiting vulnerable plug-ins for the WordPress content management system. But the new version of Mayhem malware drops the PHP script, and instead targets the Shellshock flaws to execute a Perl script, according to Malware Must Die.

Yandex's Sidorov tells Virus Bulletin that he's not surprised that Mayhem's developers are now attempting to exploit Shellshock flaws, in part because it's easier than trying to brute-force credentials to gain access to a site, and then run a malicious PHP script. In addition, using a Perl-based attack makes the attack more likely to succeed, because most Unix-flavor systems run Perl scripts by default, whereas allowing PHP is optional functionality.

Goal Unclear

But what is the attackers' goal? The Yandex researchers say Mayhem is a continuation of the "Fort Disco" brute-force password campaign that began in May 2013. Last year, distributed denial-of-service defense firm Arbor Networks reported that the campaign used compromised servers to create a botnet comprising 25,000 Windows PCs, as well as thousands of servers. Arbor said it was nearly impossible to deduce attackers' goals simply by recovering their malware. But it said the servers are likely being used to launch DDoS attacks and infect Windows systems with banking Trojans.

"There are a number of standard approaches to monetization of such botnets," Sidorov says. "Cybercriminals can install backdoors and then sell credentials they collect. They can send spam e-mails, can use black-hat [search engine optimization] tricks, can infect compromised sites with code for drive-by download attacks and can steal traffic."

One ongoing challenge in defending against Mayhem is that Linux and Unix systems rarely run anti-virus software, Akamai's Lindor says. "However, there are anti-virus engines gaining popularity, such as the ClamAV anti-virus engine, designed to detect malware on Linux," he says. Also becoming more common is the use of the Security-Enhanced Linux - SELinux - kernel security module to prevent malware from executing.

So far, three samples of the Mayhem Shellshock malware have been discovered and shared with VirusTotal: sess64.so and sess32.so and 404.cgi.

Shellshock: More Attacks Ahead

Before Mayhem Shellshock was discovered, attackers were already targeting Shellshock flaws in numerous ways, including probing systems for weaknesses, dumping data stored on servers, and installing remote shells to give attackers backdoor access to systems. Recently, some attackers have also been exploiting the Bash flaws to install the "Tsunami" Linux bot, which is designed to launch DDoS attacks.

Lindor expects to see many more Shellshock-targeting attacks. "Whenever a major system flaw provides the opportunity for attackers to monetize and grow their botnets, we will see a rise in activity and more often than not old toolkits and malware will see the light of day," he says. "The upside to this is that security researchers are aware of Mayhem and its capabilities, so clean-up efforts will move swiftly. Patching systems and educating system administrators are just some of the efforts that can help mitigate these attacks from spreading uncontrollably."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.