A new Shellshock attack targeting SMTP servers was discovered by Trend Micro. Attackers used email to deliver the exploit. If the exploit code is executed successfully on a vulnerable SMTP server, an IRC bot known as “JST Perl IrcBot” will be downloaded and executed. It will then delete itself after execution, most likely as a way to go under the radar and remain undetected. The diagram below illustrates the attack cycle.
Figure 1. Diagram of the SMTP attack
- The attacker creates a custom email with Shellshock malicious code inserted in the Subject, From, To and CC fields.
- The attacker then sends this email to any potential vulnerable SMTP server.
- When a vulnerable SMTP mail server receives this malicious email, the embedded Shellshock payload will be executed and an IRC bot will be downloaded and executed. A connection to IRC server will also be established.
- Attackers can then perform different routines with the mail server, such as launching a spam run.
- qmail Message Transfer Agent (MTA) .qmail is a Unix-based configuration file that controls the delivery of email messages and is responsible for launching Bash shell commands for execution. It is possible to configure this to launch a program and once it calls Bash, the attack is successful. (The attack requires that a .qmail file exists for the valid recipient on the qmail MTA and that the .qmail file contains any delivery program.)
- exim MTA with versions earlier than Version 4 Starting with Version 4 of exim, the pipe_transport does not call a Shell for variable expansion and command line assemble.
- Postfix using procmail: the Postfix MTA invokes procmail, which is a Mail Delivery Agent (MDA). An MDA is used to sort and filter incoming mail. Postfix has no obvious Shellshock vulnerability. However, procmail (a type of message delivery agent) itself could use an environmental variable to pass message headers to subsequent deliver/filter programs, resulting in the vulnerability in Shellshock attacks. Note: Debian/Ubuntu Postfix distribution default sets procmail at its mailbox_command configuration in main.cf. This means the Debian/Ubuntu Postfix distribution are vulnerable to Shellshock attacks.
Figure 2. Source code downloaded by “JST Perl IrcBot”"JST Perl IrcBot" connects to a command-and-control (C&C) IRC server through Ports 6667, 3232, and 9999. The bot performs the following routines, compromising the security of the affected system:
- Download file(s) from URLs
- Send mail
- Scan ports
- Perform distributed denial-of-service (DDoS) attacks
- Run Unix command
Figure 3. Top countries which visited the site hosting the malwareThe IRC bot discovered in this STMP attack will connect back to following IRC servers where it waits for commands from the bot master or attacker:
- SHA1: 23b042299a2902ddf830dfc03920b172a74d3956 (PERL_SHELLBOT.SMA)
- SHA1: 8906df7f549b21e2d71a46b5eccdfb876ada835b (PERL_SHELLBOT.SM)
- 1006259 - GNU Bash Remote Code Execution Vulnerability Over SMTP