Old Ruby On Rails Bug Exploited To Feed Botnet

A five-month-old vulnerability in Ruby on Rails is being exploited to rope servers into a botnet, even though a patch was issued not long after the bug emerged.

The flaw, which is now only resident on old versions of the framework, lies in the XML parsing functionality and could be exploited just by making a request to an application based on Ruby on Rails.

Security researcher Jeff Jarmoc found malicious actors were throwing a C source file called k.c at vulnerable servers, forcing them to join an Internet Relay Channel (IRC) and become part of a simple, yet potentially troublesome, botnet.

How the botnet works

“It sets up an IRC bot, which connects to either cvv4you.ru (currently 188.190.124.81) or the bare IP 188.190.124.120 and joins the channel #rails,” Jarmoc explained.

“Functionality is limited, but includes the ability to download and execute files as commanded, as well as changing servers. There’s no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands.

“In short, this is a pretty straightforward skiddy exploit of a vulnerability that has been publicly known, and warned about, for months.”

Indeed, the big concern is that IT teams have not updated their systems. Sysadmins could be to blame, but business processes may also be a serious issue preventing patching.

Tal Be’ery, Imperva web research team leader, said the failure to patch would have been caused by a variety of issues.

“Why didn’t the exploited servers owners patch there server, although they had at least 4 months to do so?” he asked.

“It could be any of these reasons:

  • The admin’s didn’t know about the vulnerability or patch.

  • There is not an automated patching system.

  • The admin wanted to install the patch but were prevented from doing so, due to development team requirements.”

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

SoftBank Promises To Invest $100bn In US

Japanese tech investment firm SoftBank promises to invest $100bn during Trump's second term to create…

10 hours ago

Synopsys, SiMa.ai To Collaborate On AI Car Chips

Synopsys to work with start-up SiMa.ai on joint offering to help accelerate development of AI…

10 hours ago

AI Start-Up Basis Raises $34m For Accountancy Agent

Start-up Basis raises $34m in Series A funding round for AI-powered accountancy agent to make…

11 hours ago

Databricks Raises $10bn In Huge AI Funding Round

Data analytics and AI start-up Databricks completes huge $10bn round from major venture capitalists as…

11 hours ago

Congo Files Complaints Against Apple Over Conflict Minerals

Congo files legal complaints against Apple in France, Belgium alleging company 'complicit' in laundering conflict…

12 hours ago