Attack Campaign

Shellshock: Malicious Bash, Obfuscated perlb0t, Echo Probes, and More

Shellshock can take advantage of HTTP headers as well as other mechanisms to enable unauthorized access to Bash.
October 10, 2014
2 min. read

Shellshock can take advantage of HTTP headers as well as other mechanisms to enable unauthorized access to the underlying system shell, Bash. The Shellshock attack takes advantage of a flaw in Bash that enables attackers to execute remote commands that would ordinarily be blocked. It's been rated the highest risk possible because remote command execution is potentially very, very dangerous.

Once the "Shellshock" vulnerability opened the door to run arbitrary commands on any CGI server out there, different entities tried to realize their diverse intentions.

The magic string which opened this door in almost all the cases was the:

() { :;};

A variation of this was entering a single word within the curly brackets instead of the "no operation" keyword:

() { foo;};

In some very rare cases it might look like this:

() {echo "Hello World";};

Although the exploit may be delivered in different HTTP headers (the ones the CGI is converting to the environment variables), "User-Agent" is used in most of the cases.

From our observations, the payload that is delivered (the actual commands that are executed) once the vulnerability is exploited has several intentions. The simplest are the "echo" probes, just sending a vector containing a certain string and expecting to see it in server's response, or the "ping back" probes, injecting ping command and expecting to see the server pinging them. Usually, these are the scanners indexing the vulnerable servers out there. Others send shell commands, mostly for information gathering, such as "uname" or "id" commands, while there might be more aggressive vectors reading sensitive files, such as "/etc/shadow" or creating dummy files on the file system.

However, the most severe threats are those which open a back door or completely compromise the server. Those attacks have a very familiar payload fingerprint. These are the same cyber-criminals who are constantly running their operations on the web, hunting for vulnerable webservers, and the "Shellshock" is a fresh opportunity to expand their army of zombie machines.

These serious exploits usually deploy the "Kaiten" (AKA "Tsunami") bot or variations of the "perlb0t" making it part of a DDoS business scheme.

To see the full version of this article, click "Download" below.

Join the Discussion
Authors & Contributors
Maxim Zavodchik (Author)
Security Research Group Manager
Oz Elisyan (Author)
Security Researcher

What's trending?

Forward and Reverse Shells
Forward and Reverse Shells
09/15/2023 article 5 min. read
Web Shells: Understanding Attackers’ Tools and Techniques
Web Shells: Understanding Attackers’ Tools and Techniques
07/06/2023 article 6 min. read
What Is Zero Trust Architecture (ZTA)?
What Is Zero Trust Architecture (ZTA)?
07/05/2022 article 13 min. read