Once high profile vulnerability is released to the public, there are a lot of people who will use the opportunity to take advantage on vulnerable machines, even if it is manually or widely exploited using pieces of malware. A clear example is the evolution of Mayhem to take advantage of Shellshock proving how quickly criminals can mobilize when they use existing malware infrastructure.
In this post, I don’t pretend to extend the information that is already at the Internet nowadays about Shellshock and how it has been exploited in the wild. For this reason, one month after the Bash related vulnerabilities were published, we have tried to analyze the impact of this disclosure in the threat intelligence landscape by analyzing how many new remote backdoors, exploit kits and C&C servers are being found by Blueliv’s CrimeTracker.
Figure 1. Blueliv’s CrimeTracker
After analyzing the information with the analytics engine, we’ve found the following amount of new C&C detections by month, noticing that in September and October we detected an increase of around 40-45% new Control Panel.
If we go deeper into September and October in order to analyze the detection by week, we can see that 2 weeks after the Shellshock incident our C&C detection ratio has increased by almost the same ratio (~40 %):
It is quite interesting the fact that 1-2 weeks after the vulnerability disclosure more C&C panels have appeared in the wild. The question is: Why 1-2 weeks after?
Someone could answer that in theory the modus operandi could have been:
1. Identify and massively hack vulnerable servers
2. Trojanize or backdoor the compromised servers
3. Sell remote access to fraudsters
4. Place new C&C
In conclusion, with this quick review with our analytics engine we’ve seen how quickly criminals can mobilize when vulnerability is released to the public (also with no so public vulnerabilities), they use existing malware infrastructure.
Ramon Vicens Labs Manager