Cisco Security Intelligence Operations is tracking reports of ongoing exploitation of a vulnerability in the popular web application framework Ruby on Rails that creates a Linux-based botnet. The vulnerability dates back to January 2013 and affects Ruby on Rails versions prior to 3.2.11, 3.1.10, 3.0.19, and 2.3.15.  Cisco Security Intelligence Operations’ has previously published an analysis of CVE-2013-0156. Cisco is receiving reports of attempted infection from Cisco IPS customers participating in Global Correlation.

Botnet C2 Code

This is an example of a trend we have been observing with botnets moving to the data center that we believe are in search of greater computing and network resources. It began back in 2008 with the Asprox botnet, which infected vulnerable web applications written using Microsoft’s ASP.net and Adobe’s ColdFusion toolkits. Infected personal computers would exploit SQL injection vulnerabilities in web applications that did not sanitize numeric inputs. Visitors to the affected websites would be exposed to a “drive-by download” that could make their PC a member of the Asprox botnet. Recently, we have seen backdoors installed on Apache web servers and on cPanel installations with similar intentions. We also believe that the recent 300gbps DDOS attack on Spamhaus may have originated from similarly compromised data center hosts.

Presently, webservers impacted by this threat join a botnet that is controlled over Internet Relay Chat (IRC). The remote control software is capable of downloading files and executing arbitrary shell commands. The botnet’s remote control software does not implement access control, which permits anyone who connects to the IRC server to remotely control an affected system. IRC is often used as a simple command and control protocol to control botnets and should be blocked unless required.

The combination of Ruby on Rails’ popularity, the widespread use of this exploit, and the lack of access control on impacted systems make this threat particularly dangerous for many organizations. We have assembled some Indicators of Compromise (IOCs) to help you assess whether or not your network has been impacted by this threat.

  • HTTP connections to colkolduld.com, lochjol.com, ddos.cat.com, and
  • DNS resolution of colkolduld.com, lochjol.com, ddos.cat.com, and cvv4you.ru
  • TCP connections on port 6667 to cvv4you.ru
  • Cisco IPS signature 1802/0

We recently published the short series  “Security Logging in an Enterprise, Part 1” and “Security Logging in an Enterprise, Part 2”. Cisco has invested in the infrastructure required to log network events and they can be used by the Computer Security Incident Response Team (CSIRT) for investigations and forensics, including monitoring for IOCs like those described above. Of particular interest is NetFlow logging which is supported through Cisco’s partnership with Lancope for Cyber Threat Defense, and log data collected from our deployment of Cisco Web Security Appliances. Cisco Security customers can use data from these and several other products with their Security Information and Event Management (SIEM) system. This includes:

  • Cisco Intrusion Protection System appliances detect infection attempts.
  • Cisco Web Security Appliance (WSA) logs the HTTP requests to the first set of command and control servers.
  • Cisco Adaptive Security Appliance Next Generation Firewall (ASA-CX) with Botnet Traffic Filter can be used to find the DNS queries for the HTTP and IRC servers.
  • Lancope StealthWatch can be queried for NetFlows to the HTTP and IRC servers.

Cisco Security highly recommends that their Intrusion Protection System customers enable Global Correlation and Network Participation on their devices. Participating in the SensorBase Network gives your network extra protection from threats by enabling Cisco Security to better see and respond rapidly to attacks as they happen across the internet. One example is the massive spam campaign that Cisco recently observed using customer data from Email Security Appliances. Data from this attack was used to protect not only email customers, but web security and IPS customers as well. One customer enabling global correlation can help protect millions of other customers.