A stealthy malicious program known as Mayhem has started spreading to Linux and Unix servers using the “Shellshock” vulnerability in the terminal shell program known as Bash, according to security experts.
On Oct. 7, the anti-malware group Malware Must Die posted an analysis of the attack, which is currently using servers at 37 different Internet addresses—18 of which are in the United States—to scan for vulnerable hosts. It’s not known how many servers have been infected with the malware, but a July analysis of the pre-Shellshock version found some 1,400 servers compromised by the program.
With its new ability to exploit the pervasive Bash vulnerability, Mayhem may spread much further, the group Malware Must Die stated in its analysis of the attack.
“This is a very serious threat, please work and cooperate together … to stop the source of the threat,” the group stated.
Mayhem, first discovered in April, stands out from other malware, because it accomplishes its tasks on Linux and Unix servers without gaining full control of the host system, according to an analysis published in July by three security researchers at Russian search giant Yandex. In the past, the malware used a PHP script to infect servers, but the latest version uploads a script in the Perl programming language via the Shellshock vulnerability.
The malware makes use of a modular design, so that the software can be easily updated with new functionality. At least eight different modules exist, expanding functionality to scan for sites using the popular WordPress content management system and sites with specific vulnerabilities before attempting to use brute-force guessing to break into sites with weak passwords.
Linux servers have become a popular target for cyber-criminals because, while many distributions are freely available, keeping a system up to date with security patches can be time consuming and is often neglected, according to the Yandex researchers.
“Nowadays, there are millions of completely unprotected Web servers with different kinds of vulnerabilities, so it is easy for attackers to upload Web shells and gain access to them,” they stated in their analysis.
Half of all active Websites run on Apache and Linux. Attackers who are able to compromise Web servers get a dual benefit, Chester Wisniewski, senior security adviser at Sophos, said in an email interview. Web servers typically have much higher bandwidth and can be compromised to infect visitors with drive-by downloads, he said.
Whether more attackers target the Shellshock flaw depends on how easy it is to exploit compared to other vulnerabilities, he added. The sheer variety of software used on Web servers and Internet-facing Linux servers means that the number of servers with some form of vulnerability is very high, he said.
“It is almost always about (finding) the cheapest, fastest way to get the job done,” Wisniewski said. “If (that way) is ShellShock, then we will see plenty more.”