Ruby on Rails flaw being used to recruit servers to botnets

Malware peddlers are trying their luck with Ruby on Rails servers that admins haven't patched.
Written by Liam Tung, Contributing Writer

Criminals are using an old weakness in the Ruby on Rails web application framework to recruit vulnerable servers into a botnet.

Developers running Ruby on Rails should install an update that was released in late January for a serious remote execution flaw that attackers began exploiting in the past week.

Security expert Jeff Jarmoc, who discovered the exploit, notes it has caused server troubles for some running vulnerable versions of Ruby on Rails.

The exploit causes the server to download and execute a series of files from domains known to host malware before setting up an internet relay chat (IRC) protocol bot connected to the domain cvv4you.ru that joins the channel #rails. 

"Functionality is limited, but includes the ability to download and execute files as commanded, as well as changing servers," Jarmoc wrote.

Ruby on Rails prior to versions 3.2.11, 3.1.10, 3.0.19, and 2.3.15 are vulnerable, according to Cisco

The attack on Ruby on Rails servers follows similar web server attacks, including a recently discovered backdoor for Apache web servers that followed earlier malicious modules of Apache.

Security researcher and Metasploit framework founder HD Moore called the Ruby on Rails bug by far the worst security problem to surface in this framework to date when it was disclosed in January.

However, due to its widespread use in websites and web-enabled products, he expected to the vulnerability to persist on servers for years to come.

Editorial standards