Linux Trojan dropped via CVE-2014-6271 vulnerability (Sep 26, 2014)

The Dell Sonicwall Threats Research team has received reports of a Linux DDoS Trojan that is dropped onto systems vulnerable to CVE-2014-6271 (GNU Bash Code Injection Vulnerability). The Trojan can leak sensitive system information and is designed primarily for DDoS attacks using various methods. A Sonicalert describing CVE-2014-6271 had been released earlier this week.

Infection Cycle:

Upon successful infection and execution via the vulnerability the Trojan connects to a predetermined C&C server IP address on port 5. The IP address is hardcoded in the binary:

The Trojan contains the following DDoS capabilities as seen in the binary:

The C&C server can issue the following commands:

GETLOCALIP
SCANNER
HOLD
JUNK (flood)
UDP (flood)
TCP (flood)
KILLATTK
LOLNOGTFO
DUP (disconnect from C&C)

The Trojan also contains a bruteforce password attack module. The following weak passwords were discovered in the binary:

The following strings were found in the binary. These strings indicate that the Trojan gathers network, CPU, kernel and memory information from the infected system:

As seen in the screenshot above the Trojan employs the following BusyBox command:

/bin/busybox;echo -e '147141171146147164'

The output of the command is different depending on the system it is run on. This can be use as a way to differentiate between systems.

The functionality of the Trojan can be summarized as follows:

• System fingerprinting attempts using BusyBox
• Ability to leak sensitive system information
• Perform DDoS attacks using various methods
• Brute force authentication attacks

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

• GAV: Linux.Flooder.SS (Trojan)