Database destroying worm menaces Linux and Windows servers

Researchers from security vendor Palo Alto Networks are warning about a new strain of malware that destroys databases running on Linux systems in a similar manner to the NotPetya outbreak that resulted in costly damage earlier this year.

Xbash code to exploit Redis file write and remote command execution vulnerability.

Palo Alto Networks’ Unit 42 researchers termed the malware Xbash. It poses as ransomware that deletes databases and demands 0.02 Bitcoin (A$175.50 currently) to restore the information stores from a backup.

However, even if victims pay the ransom, the databases will not be restored as Xbash does not contain the functionality to do that and nothing has been backed up.

The researchers monitored Bitcoin wallets used by the attackers, and found 48 incoming transactions in them, totalling around US$6000 (A$8300) since May this year.

Xbash uses command and control servers linked to the Iron Group which is known for past ransomware attacks using stolen source code from law enforcement malware vendor The Hacking Team, the researchers said.

Written in the Python coding language, Xbash is a combined threat vector that attempts to exploit multiple vulnerabilities in unpatched and insecure systems.

It has worm-like capabilities and targets Microsoft Windows servers for coinmining by downloading Javascript and VBscript code, and self-propagation.

The malware scans both internet protocol addresses and domain names, looking for and runs brute-force credentials guessing attacks against common remote access services and databases running on servers. 

Xbash also contains unused functionality to scan enterprise intranets, and this could be enabled in future versions of the malware, Unit 42 said.

The researchers advised users to protect themselves against Xbash by changing default login credentials on systems, and to use strong, unique passwords.

Users should also apply security updates and prevent access to unknown internet hosts, to cut off communication to command and control servers used by the malware and back up their data.