Security researchers have unearthed a malicious worm that is designed to plant backdoors on network-attached storage (NAS) systems made by Taiwan-based QNAP and gain full access to the contents of those devices.
The worm is spread among QNAP devices, which run an embedded Linux operating system, by the exploitation of the GNU Bash vulnerability known as ShellShock or Bash, according to security researchers at the Sans Institute.
QNAP vendor released a patch
in early October to address the flaw in its Turbo NAS product, but because the patches are not automatic or easy to apply for many users, so a statistically significant portion of systems remain vulnerable and exposed to the Bash bug
was among the critical and serious Internet vulnerabilities uncovered this year, as the vulnerability in Bash, aka the GNU Bourne Again Shell
, affects Linux and UNIX distributions to a large extent, but also Windows in some cases. The flaw exploits a bug in GNU Bash that gives attackers the ability to run execute shell commands of their choice remotely on vulnerable systems using specifically crafted variables.
“The attack targets a QNAP CGI script, /cgi-bin/authLogin.cgi, a well known vector for Shellshock on QNAP devices,” Johannes B. Ullrich, head of the Internet Storm Center at the SANS Institute, wrote in the blog post published Sunday. “This script is called during login, and reachable without authentication. The exploit is then used to launch a simple shell script that will download and execute a number of additional pieces of malware.”
Once the device is infected by the worm, malicious components also execute a script that makes the device to carry out click fraud scam against an online advertising network JuiceADV. A number of other scripts are also installed on the infected system. The worm is dangerous because the “infected devices have been observed scanning for other vulnerable devices,” Ullrich said.
According to the researcher, the infected systems are equipped with a secure shell (SSH) server on port 26 and a new administrative user, which gives the attackers a determined backdoor to hide into the device at any time in the future.
“The DNS change is likely made to avoid logging and potentially blacklisting of any affected domains,”Ullrich said. “The SSH server is a second SSH server that is being launched, in addition to the normal SSH server on port 22. This second SSH server, and the additional user added to the system, provides the attacker with persistent access to the system.”
More interestingly, the worm also patches the notorious Shellshock vulnerability on the infected devices by downloading and applying the security updates from QNAP and reboot the device, in order to prevent other attackers from taking over the compromised device.