Shellshock NAStiness: a worm is backdooring storage devices using Bash flaw

December 29, 2014

Shellshock bug proved to be “wormable”, and is exploiting the vulnerable network attached devices (by QNAP at least), scanning for more potential victims. While it is not exactly a Christmas time story, it’s important, nevertheless. The backdoored NAS devices can be used as a staging point for other types of attacks.

The worm opens a backdoor to QNAP NAS devices, which are in “significant” use worldwide. QNAP has actually released the patch for the Bash vulnerability in its Turbo NAS products – maybe a bit late, given that the Shellshock had been discovered months prior, but still it has been done. In October. It’s December now, and apparently there are still many vulnerable – i.e. unpatched – devices around. Which may cost the businesses operating them quite a lot.

For fairness’ sake applying Bash patches may be a chore. First, it’s not that apparent that patch does exist unless an admin console of the device is accessed. Second, patching requires a reboot, which may be a problem if the device is used as an iSCSI target in a virtual environment. Then all VMs have to be taken down or moved to a different device. A service disruption is almost  imminent.

Actually, as we know, even the Linux vendors have had issues with releasing them. But it is possible, and necessary, to do ASAP.


The worm in question targets a QNAP CGI script /cgi-bin/authLogin.cgi, which has been targeted by Shellshock exploits in the past, says Threatpost. The script can be accessed without authentication and the attackers in this case then launch a shell script capable of downloading additional malware.

Backdooring this sort of a device means that attackers gain a foothold in the targeted entity infrastructure. Consequences may be unpleasant, to say the least: a ransomware slithering in through such a backdoor is not just a viable scenario – it has been actually observed before, with Synology NAS devices.

There is a couple of peculiarities with this worm. First, it apparently also launches a click-fraud script against the JuiceADV advertising network (money, always money). The script also creates a hidden directory where it stores downloaded scripts and files. Once on a compromised machine, it sets the DNS server to – apparentl to avoid logging and potentially blacklisting of the affected domains – and creates an SSH server on port 26, added to the normal SSH server on port 22. This is apparently done for the persistence sake.

But the most interesting thing is that the script also downloads and installs the Shellshock patch from QNAP (!) – not because it is such a sweetheart, but simply to prevent any other attackers to impinge upon the infected system.

In a nutshell, IT staff responsible for these devices security should apply patches themselves, or a worm will do it. At a price.

For more details visit this Threatpost article.