[unixfreaxjp]

The "Mayhem Shellshock" warning advisory released: http://blog.malwaremustdie.org/2014/10/ ... ayhem.html
Many details for detection and mitigation information, please read even once.

Pointers:
1. Grep your httpd access log to spot whether your systems are targeted or not, see the grep howto in the post.
2. They use different spider ELF module which aiming for the shellshock vulnerability
3. Perl installer is used after being downloaded in /tmp, and malware installer will be deleted afterward after dropped and executed, so.. system's process, socket network and memory detection is the only way to recognize the infection, as well to the dropped crypted file sytem (the .xxxx file).
4. The malware will run using the web server privilege, if you use web server under root please change it now.
5. The ip addresses listed in the report were extracted & compiled from many VPS services in many countries (JP, AU, NZ, MY, KR) and we confirmed that the attack was received in US, Spain too, assuming word-wide attack in progress, clean up listed ip address or block them will be good to reduce the risk of infection.
6. Please help to inform more attacker source ip addresses, as well as more samples. Your every help is counts to reduce the risk caused by this threat.

Rgds/MalwareMustDie

[unixfreaxjp]

Additional, case: Mayhem Shellshock
Current total recorded "known" attacker source IP is (unique) 51, from 22 countries, 49% are hosts in USA, including Google Cloud)

Code: Select all

192.169.59.190|emu.arvixe.com.|36351 | 192.169.48.0/20 | SOFTLAYER | US | ARVIXE.COM | ARVIXE LLC
192.3.138.103|host.colocrossing.com.|36352 | 192.3.136.0/21 | AS-COLOCROSSING | US | HUDSONVALLEYHOST.COM | HUDSON VALLEY HOST
205.186.134.213|thewineconsultant.com.|31815 | 205.186.128.0/19 | MEDIATEMPLE | US | MEDIATEMPLE.NET | MEDIA TEMPLE INC.
209.11.159.26|cpanel.webindia.com.|40913 | 209.11.128.0/19 | QTS-SJC-1 | US | SEALCONSULT.COM | IBIS INC.
216.121.52.101|101.52.121.216.reverse.gogrid.com.|26228 | 216.121.0.0/17 | SERVEPATH | US | GOGRID.COM | GOGRID LLC
54.213.225.160|ec2-54-213-225-160.us-west-2.compute.amazonaws.com.|16509 | 54.213.0.0/16 | AMAZON-02 | US | AMAZON.COM | AMAZON.COM INC.
67.214.182.202|202.smart-dns.net.|12260 | 67.214.176.0/20 | COLOSTORE | US | COLOSTORE.COM | COLOSTORE.COM
69.10.33.130||19318 | 69.10.32.0/20 | NJIIX-AS-1 | US | INTERSERVER.NET | INTERSERVER INC
69.20.200.203|webvms.kdsi.net.|32101 | 69.20.200.0/24 | ASN-KLYS | US | KELLYSUPPLY.COM | KELLY SUPPLY COMPANY
100.42.61.126|starfish.arvixe.com.|36351 | 100.42.61.0/24 | SOFTLAYER | US | ARVIXE.COM | ARVIXE LLC
108.168.131.219|s13.nzusatechgroup.com.|36351 | 108.168.128.0/19 | SOFTLAYER | US | SOFTLAYER.COM | SOFTLAYER TECHNOLOGIES INC.
162.144.46.158|server.forkliftmarket.com.au.|46606 | 162.144.0.0/16 | UNIFIEDLAYER-AS-1 | US | UNIFIEDLAYER.COM | UNIFIED LAYER
166.62.16.106|ip-166-62-16-106.ip.secureserver.net.|26496 | 166.62.16.0/22 | AS-26496-GO-DADDY-CO | US | GODADDY.COM | GODADDY.COM LLC
198.167.142.184|spanky.myserverplanet.com.|23033 | 198.167.142.0/24 | WOW | US | MYVIRPUS.COM | DNSSLAVE.COM
209.126.148.164||10439 | 209.126.128.0/17 | CARINET | US | PROENLACE.MX | CARI.NET
209.200.32.76|lazer.webair.com.|27257 | 209.200.32.0/19 | WEBAIR-INTERNET | US | WEBAIR.COM | WEBAIR INTERNET DEVELOPMENT COMPANY INC.
75.101.129.180|ec2-75-101-129-180.compute-1.amazonaws.com.|14618 | 75.101.128.0/17 | AMAZON-AES | US | AMAZON.COM | AMAZON.COM INC.
50.193.119.109|50-193-119-109-static.hfc.comcastbusiness.net.|7922 | 50.128.0.0/9 | COMCAST-7922 | US | COMCASTBUSINESS.NET | PLANET PARTS
177.87.80.17||262652 | 177.87.80.0/22 | R4C | BR | INTELIGNET.COM.BR | R4C SERVICOS DE INFORMATICA LTDA
187.16.21.42|forjastaurus.dominiotemporarioidc.com.|19089 | 187.16.21.0/24 | DH&C | BR | UOL.COM.BR | UNIVERSO ONLINE S.A.
91.221.99.35|h35-91.net.ix-host.ru.|50968 | 91.221.99.0/24 | HOSTMASTER | MD | IX-HOST.RU | HOSTMASTER LTD.
95.211.131.148|LLNH007.local.|16265 | 95.211.0.0/16 | FIBERRING | NL | LEASEWEB.COM | LEASEWEB B.V.
37.187.77.163|ns3366463.ip-37-187-77.eu.|16276 | 37.187.0.0/16 | OVH | FR | OVH.COM | OVH SAS
94.23.113.220||16276 | 94.23.0.0/16 | OVH | FR | OVH.COM | OVH SAS
194.27.156.249||8517 | 194.27.156.0/22 | ULAKNET | TR | - | CELAL BAYAR UNIVERSITESI
103.253.75.208||56309 | 103.253.72.0/22 | SIAMDATA | TH | - | TAN SPIRIT CO. LTD.
103.244.50.23||54113 | 103.244.50.0/24 | FASTLY | US | FASTLY.COM | FASTLY INC
116.193.76.20|sv20.quangtrungdc.name.vn.|24085 | 116.193.76.0/24 | QTSC-AS | VN | - | IP RANGE ALLOCATE FOR QTSC'S INTERNET DATA CENTER
184.107.246.98||32613 | 184.107.0.0/16 | IWEB-AS | CA | IWEB.COM | IWEB TECHNOLOGIES INC.
190.10.14.37|caam-190-10-14-a037.racsa.co.cr.|3790 | 190.10.14.0/24 | RADIOGRAFICA | CR | RACSA.CO.CR | SERVICIO CO-LOCATION RACSA
200.80.44.160|server.cubomagico.tv.|52270 | 200.80.44.0/24 | X | AR | IFXNW.COM.AR | NXNET
202.76.235.110||24218 | 202.76.224.0/20 | GTC-MY-PIP | MY | GLOBALTRANSIT.NET | GTC MY PIP NET
93.74.63.83|pedlarly-tack.volia.net.|25229 | 93.74.0.0/16 | VOLIA | UA | VOLIA.NET | KYIVSKI TELEKOMUNIKATSIYNI MEREZHI LLC
176.67.167.180||13213 | 176.67.160.0/20 | UK2NET | GB | UK2.NET | UK2 - LTD
82.165.36.8|s16296639.onlinehome-server.info.|8560 | 82.165.0.0/16 | ONEANDONE | DE | 1AND1.CO.UK | 1&1 INTERNET AG
82.200.168.83|82.200.168.83.adsl.online.kz.|9198 | 82.200.160.0/20 | KAZTELECOM | KZ | - | ENU
95.110.178.157|alodrink.eu.|31034 | 95.110.160.0/19 | ARUBA | IT | ARUBA.IT | ARUBA S.P.A.
103.7.84.13|web2.jabikha.net.|23950 | 103.7.84.0/24 | GENID-AS | ID | JABIKHA.NET | PT JARINGAN BISNIS KHATULISTIWA
89.206.41.50|host50-89-206-41.limes.com.pl.|29649 | 89.206.0.0/18 | LIMES | PL | LIMES.COM.PL | LIMES S.C.
85.232.60.34|futureis-3.titaninternet.co.uk.|20860 | 85.232.48.0/20 | IOMART | GB | TITANINTERNET.CO.UK | TITAN INTERNET LTD
91.130.113.149|d91-130-113-149.cust.tele2.at.|1257 | 91.128.0.0/14 | TELE2,S | EU | TELE2.AT | TELE2 TELECOMMUNICATION SERVICES GMBH
110.44.30.204|110-44-30-204.host.neural.net.au.|45844 | 110.44.28.0/22 | NEURALNETWORKS-AS | AU | NEURAL.NET.AU | NEURAL NETWORKS DATA SERVERS PTY. LTD.
83.168.199.4|static-83-168-199-4.cust.crystone.se.|35041 | 83.168.199.0/24 | NET-CRYSTONE | SE | CRYSTONE.SE | CRYSTONE AB
184.106.196.169|184-106-196-169.static.cloud-ips.com.|19994 | 184.106.0.0/16 | RACKSPACE | US | RACKSPACE.COM | RACKSPACE HOSTING
216.119.149.163|216.119.149.163.static.midphase.com.|32780 | 216.119.144.0/20 | HOSTINGSERVICES-INC | US | MIDPHASE.COM | HOSTING SERVICES INC.
184.106.196.169|184-106-196-169.static.cloud-ips.com.|19994 | 184.106.0.0/16 | RACKSPACE | US | RACKSPACE.COM | RACKSPACE HOSTING
67.23.9.241|67-23-9-241.static.cloud-ips.com.|33070 | 67.23.0.0/19 | RMH-14 | US | RACKSPACE.COM | RACKSPACE CLOUD SERVERS
216.228.104.39|lamp2.ncol.net.|11426 | 216.228.96.0/20 | SCRR-11426 | US | NCOL.NET | NCOL.NET INC.
82.222.172.99|host-82-222-172-99.reverse.superonline.net.|34984 | 82.222.172.0/24 | TELLCOM | TR | SUPERONLINE.NET | TELLCOM ILETISIM HIZMETLERI A.S.
184.107.144.146||32613 | 184.107.0.0/16 | IWEB-AS | CA | - | POLLOCK NEAL
23.251.144.200|200.144.251.23.bc.googleusercontent.com.|15169 | 23.251.128.0/19 | GOOGLE | US | GOOGLE.COM | GOOGLE INC.

Simple GeoIP map for the above list: http://malwaremustdie.org/stat/mayhem.html
I will try to do daily update the IP list here (not a promise) http://blog.malwaremustdie.org/2014/10/ ... ayhem.html

[K_Mikhail]

Suddenly still alive...

https://www.virustotal.com/ru/file/9b65 ... 415215707/

[unixfreaxjp]

Suddenly still alive...

Same one found here too, it was source attack is Ukraine IP.
Installer at VT: https://www.virustotal.com/en/file/9b65 ... 415776068/
Callbacks goes to the .RU (Russia domain) < the name suggested relation for previous domains used.

Code: Select all

Domain: shaman-3ruki.ru
IP: 144.76.232.59 Port: 80
Request: POST /hyi/ssbot.php HTTP/1.0

Decoded syscalls:
DNS

Code: Select all

DNSRequest { connect(%d, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}
send(%d,"\2506\1\0\0\1\0\0\0\0\0\0\fshaman-3ruki\2ru\0\0\1\0"..., %d, %t);
recvfrom(%d,"\2506\201\200\0\1\0\1\0\2\0\2\fshaman-3ruki\2ru\0\0\1\0"..., %d, FLAG, }

BackConnnect
CallBack { connect(%d, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("144.76.232.59")}, %d)

Code: Select all

write(%d, "POST /hyi/ssbot.php HTTP/1.0\r\nHo");
read(%d, "HTTP/1.1 200 OK\r\nDate: Wed, 12 N", $d);
read(%d, "", $RESPONSE);
close(6) }

CNC:

Code: Select all

CNCInitial {
POST /hyi/ssbot.php HTTP/1.0
Host: shaman-3ruki.ru
Pragma: 1337
Content-Length: 15

poll,0,,1343,1

HTTP/1.1 200 OK
Date: Wed, 12 Nov 2014 07:21:41 GMT
Server: Apache/2.2.22 (@RELEASE@)
X-Powered-By: PHP/5.3.3
Content-Length: 3
Connection: close
Content-Type: text/html; charset=UTF-8
0,}

Also POCing all of these:

CNC is in YOUR-SERVER.DE/HETZNER network, ISP: Deutschland/Germany:

Code: Select all

144.76.232.59|static.59.232.76.144.clients.your-server.de.|24940 | 144.76.0.0/16 | HETZNER | DE | YOUR-SERVER.DE | COREM

CNC domain registration info:

Code: Select all

domain:        SHAMAN-3RUKI.RU
nserver:       ns1.r01.ru.
nserver:       ns2.r01.ru.
state:         REGISTERED, DELEGATED, VERIFIED
person:        Private Person
registrar:     R01-RU
admin-contact: https://partner.r01.ru/contact_admin.khtml
created:       2014.10.18
paid-till:     2015.10.18
free-date:     2015.11.18
source:        TCI
Last updated on 2014.11.12 11:21:30 MSK

Will add some more goodies, hold on.. #MalwareMustDie.
(sample was same as per post by @K_Mikhail)

[K_Mikhail]

021af5de194024c0c76431ec6868534a250214e9

VT knows it from May 2014, but detection ratio is still poor.

[K_Mikhail]

Possibly, fresh:
541bfccc1c1980e062c0a3df30a2cd6c
a138999e7a0b22f9ea59d199ebae3d11

[sysopfb]

C2:
195.154.162.244/mayhem.php

panel is at /123.php

[unixfreaxjp]

Mayhem attack from Ukraine.
Reported in VT, please read the comment, has VERY useful information: https://www.virustotal.com/en/file/6aa4 ... 434628014/ ..And here: https://twitter.com/MalwareMustDie/stat ... 7612307456

Attacker:

Code: Select all

  "ip": "46.118.119.63",
  "hostname": "SOL-FTTB.63.119.118.46.sovam.net.ua",
  "city": null,
  "country": "UA",
  "loc": "50.4500,30.5233",
  "org": "AS15895 Kyivstar PJSC"

CNC:

Code: Select all

  "ip": "176.119.3.244",
  "hostname": "No Hostname",
  "city": null,
  "country": "UA",
  "loc": "50.4500,30.5233",
  "org": "AS58271 FOP Gubina Lubov Petrivna"

Installer:

CNC syscalls:

Traffic:

CNC Domain used & IP routes of CNC

Initial detection antivirus for the installer (PHP): 7/47

Initial detection IDS (ET sigs)


Panel is up in the CNC ip. Samples, the encrypted drive and drops are attached & shared here.
Pls support us, and help take this down. #MalwareMustDie!

[unixfreaxjp]

The current attack pattern on the wordpress users to inject Mayhem is in progress. Noted that fake user-agents.
If you see these access coming from Ukraine please help to report right away:




And this is the access for malware installer execution, the Ukraine attacker is seemed abusing Russian network in SPB for the botnet panel.

[K_Mikhail]

5bbdecf6844ded06e88c4d9e89ae19d3 (bruteforce.so)
77f48245b2b1b99e4da685902c28aa64 (crawler.so)