Another day, another ShellShock vector: today is the turn of the SMTP

SANS Internet Storm Center announced that some web hosting providers reports a strange activity that appears to be a shellshock exploit attempt via SMTP.

Remote code execution

The Register jokes about this news:

Shellshock over SMTP attacks mean you can now ignore your email

‘But boss, the Internet Storm Centre says it’s dangerous for me to reply to you’

Attackers are using Shellshock exploits in order to drop a perl script onto compromised computers.

The script adds the hacked servers to a botnet that receives its commands over IRC, said Binary Defense Systems:

We recently became aware of a SMTP botnet campaign occurring for a number of large-scale customers targeting SMTP gateways with Shellshock based attacks.

The attack leverages Shellshock as a main attack vector through the subject, body, to, from fields (targets every main header field in order to download the perl botnet script).

The payload is an IRC perl bot with simple DDoS commands and the ability to fetch and execute further code.

Watch out and…update your bash!

Published: October 29 2014