Linux Trojan dropped via CVE-2014-6271 vulnerability (Sep 26, 2014)
The Dell Sonicwall Threats Research team has received reports of a Linux DDoS Trojan that is dropped onto systems vulnerable to CVE-2014-6271 (GNU Bash Code Injection Vulnerability). The Trojan can leak sensitive system information and is designed primarily for DDoS attacks using various methods. A Sonicalert describing CVE-2014-6271 had been released earlier this week.
Infection Cycle:
Upon successful infection and execution via the vulnerability the Trojan connects to a predetermined C&C server IP address on port 5. The IP address is hardcoded in the binary:
The Trojan contains the following DDoS capabilities as seen in the binary:
The C&C server can issue the following commands:
GETLOCALIPSCANNERHOLDJUNK (flood)UDP (flood)TCP (flood)KILLATTKLOLNOGTFODUP (disconnect from C&C)The Trojan also contains a bruteforce password attack module. The following weak passwords were discovered in the binary:
The following strings were found in the binary. These strings indicate that the Trojan gathers network, CPU, kernel and memory information from the infected system:
As seen in the screenshot above the Trojan employs the following BusyBox command:
/bin/busybox;echo -e '147141171146147164'The output of the command is different depending on the system it is run on. This can be use as a way to differentiate between systems.
The functionality of the Trojan can be summarized as follows:
- System fingerprinting attempts using BusyBox
- Ability to leak sensitive system information
- Perform DDoS attacks using various methods
- Brute force authentication attacks
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
- GAV: Linux.Flooder.SS (Trojan)
