Attackers shellshock, take over devices running on BusyBox

ShellShock, the remote code execution bug (CVE-2014-6271) affecting GNU Bash, the command interpreter present on many Unix systems and Linux distributions, is still being exploited by attackers.

Trend Micro threat response engineer Rhena Inocencio warns about attackers leveraging a new version of the Bashlite malware, which was initially created as a DDoS bot with brute forcing capabilities and exploits the ShellShock bug. The malware now targets both computers and other devices running on BusyBox, located on the same network.

The BusyBox software provides a number of Unix tools in a single executable file, and was specifically developed for embedded operating systems with limited resources. It can be often found on routers.

The original version of the malware could detect these devices on the network, but would not try to compromise them. This newer version tries to brute force its way into the device by trying out a set of the most common usernames and passwords.

Once the malware gains access to the device, it downloads and runs two shell scripts to gain complete remote control over the BusyBox system.

Luckily, the solution for this problem is simple: apply a ShellShock patch on your equipment (if they have been made available), or disable remote shell on these devices (if possible). It’s also generally a good idea to change the default username and password on all devices you own.