VXers Shellshocking embedded BusyBox boxen
It's 2014 and some people are still using default user names and passwords
Malware writers have crafted new wares to attack embedded devices running BusyBox and not yet patched against the ShellShock vulnerability, researcher Rhena Inocencio says.
Miscreants' tool of choice for such attacks is malware called "Bashlite" that, once executed on a victim machine, probes for devices such as routers and Android phones running BusyBox to brute force logins through a preset list of usernames and passwords.
Trend Micro's Inocencio said the variant would download and run bin.sh and bin2.sh scripts to gain control over Busybox systems once a connection was established.
"Remote attackers can possibly maximise their control on affected devices by deploying other components or malicious software into the system depending on their motive," Inocencio said.
"As such, a remote attacker can issue commands or download other files on the devices thus compromising its security."
Attackers attempted to log in using user names 'root', 'admin' and 'support' and common and default passwords 'toor', 'password', '123456' and so on.
Inocencio urged users to change default usernames and passwords, and to disable remote shells where possible.
Attackers have used the critical ShellShock Bash command vulnerability (CVE-2014-6271) to build botnets from hijacked devices, launch denial of service attacks, and target network attached storage boxes among other exploits.
Most Fortune 1000 organisations patched ShellShock when fixes became available in September due to the high risk it posed. ®