Linux Trojan dropped via CVE-2014-6271 vulnerability (Sep 26, 2014)


The Dell Sonicwall Threats Research team has received reports of a Linux DDoS Trojan that is dropped onto systems vulnerable to CVE-2014-6271 (GNU Bash Code Injection Vulnerability). The Trojan can leak sensitive system information and is designed primarily for DDoS attacks using various methods. A Sonicalert describing CVE-2014-6271 had been released earlier this week.

Infection Cycle:

Upon successful infection and execution via the vulnerability the Trojan connects to a predetermined C&C server IP address on port 5. The IP address is hardcoded in the binary:

The Trojan contains the following DDoS capabilities as seen in the binary:

The C&C server can issue the following commands:

      JUNK (flood)
      UDP (flood)
      TCP (flood)
      DUP (disconnect from C&C)

The Trojan also contains a bruteforce password attack module. The following weak passwords were discovered in the binary:

The following strings were found in the binary. These strings indicate that the Trojan gathers network, CPU, kernel and memory information from the infected system:

As seen in the screenshot above the Trojan employs the following BusyBox command:

      /bin/busybox;echo -e '147141171146147164'

The output of the command is different depending on the system it is run on. This can be use as a way to differentiate between systems.

The functionality of the Trojan can be summarized as follows:

  • System fingerprinting attempts using BusyBox
  • Ability to leak sensitive system information
  • Perform DDoS attacks using various methods
  • Brute force authentication attacks

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Linux.Flooder.SS (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.