Linux Trojan dropped via CVE-2014-6271 vulnerability

October 3, 2014

The Dell Sonicwall Threats Research team has received reports of a Linux DDoS Trojan that is dropped onto systems vulnerable to CVE-2014-6271 (GNU Bash Code Injection Vulnerability). The Trojan can leak sensitive system information and is designed primarily for DDoS attacks using various methods. A Sonicalert describing CVE-2014-6271 had been released earlier this week.

Infection Cycle:

Upon successful infection and execution via the vulnerability the Trojan connects to a predetermined C&C server IP address on port 5. The IP address is hardcoded in the binary:

The Trojan contains the following DDoS capabilities as seen in the binary:

The C&C server can issue the following commands:

      JUNK (flood)
      UDP (flood)
      TCP (flood)
      DUP (disconnect from C&C)

The Trojan also contains a bruteforce password attack module. The following weak passwords were discovered in the binary:

The following strings were found in the binary. These strings indicate that the Trojan gathers network, CPU, kernel and memory information from the infected system:

As seen in the screenshot above the Trojan employs the following BusyBox command:

      /bin/busybox;echo -e '147141171146147164'

The output of the command is different depending on the system it is run on. This can be use as a way to differentiate between systems.

The functionality of the Trojan can be summarized as follows:

  • System fingerprinting attempts using BusyBox
  • Ability to leak sensitive system information
  • Perform DDoS attacks using various methods
  • Brute force authentication attacks

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Linux.Flooder.SS (Trojan)