Incident Response, Malware, TDR

Bash bug payload downloads KAITEN DDoS malware source code

Attackers have been leveraging Shellshock vulnerabilities to deliver malware since the issue was disclosed in late September, and now researchers with Trend Micro have observed a Bash bug payload – detected as TROJ_BASHKAI.SM – downloading the source code of KAITEN malware.

KAITEN is an older Internet Relay Chat (IRC)-controlled malware that is typically used to carry out distributed denial-of-service (DDoS) attacks, so spreading the infection can help the attackers bring down targeted organizations, according to a Sunday Trend Micro post.

“The purpose is to add compromised systems to botnets,” Christopher Budd, global threat communications manager with Trend Micro, told SCMagazine.com in a Monday email correspondence. “In this case these are botnets primarily focused on launching DDoS attacks.”

Getting KAITEN on the system – Linux/UNIX and Mac OS X systems are at risk, Budd said – is not a direct process.

TROJ_BASHKAI.SM connects to two URLs when executed, according to the post. The first URL downloads the KAITEN source code, which is compiled using the gcc compiler and ultimately builds an executable file detected as ELF_KAITEN.SM.

Compiling ensures proper execution of the malware because, if downloaded directly as an executable, the file runs the risk of having compatibility issues with different Linux OS distributions, the post indicates. Furthermore, the file will evade network security systems that only scan for executables.

ELF_KAITEN.SM connects to an IRC server at x[dot]secureshellz[dot]net, joins IRC channel #pwn, and awaits commands, according to the post. Some commands include perform UDP flood, perform SYN flood, download files, send raw IRC command, start remote shell, perform PUCH-ACK flood, and disable, enable, terminate client.

When TROJ_BASHKAI.SM connects to the second URL, KAITEN source code is downloaded and similarly compiled into ELF_KAITEN.A, which is essentially the same as ELF_KAITEN.SM except that it connects to linksys[dot]secureshellz[dot]net[colon]25 and to channel #shellshock, the post indicates.

Additionally, a Mac OS X malware detected as OSX_KAITEN.A, which behaves similarly to ELF_KAITEN.A, is downloaded, as well as a shellbot detected as PERL_SHELBOT.SMO, according to the post.

“This is a powerful IRC-controlled shellbot that connects to the same server as the two previous files, but to a different channel (#scan),” the post indicates. “However, unlike KAITEN that doesn't scan for vulnerable servers, PERL_SHELLBOT.SMO scans for vulnerable websites through various search engines.”

Trend Micro has no specific information on the threat actors or their locations, Budd said, adding that in this case there is no specific geographical targeting – the attackers are broadly targeting vulnerable systems wherever found.

“Applying the patches that are available is the most important thing people can do,” Budd said. “Network monitoring/IPS is another thing that people can and should be doing to help detect compromised systems on their network and protect against further attacks.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds