Ruby on Rails attacks threaten servers

Administrators are being urged to update their Ruby on Rails servers following the discovery of an active malware campaign targeting vulnerable versions of the web development framework.

Researcher Jeff Jarmoc said that the attack – which was spotted earlier this week and is now believed to have been partially disabled – preys upon a vulnerable version of Ruby on Rails to exploit flaws and infect targeted systems with a malware payload that then attempts to establish an IRC connection with a possible command and control system.

The attacks suggest that the infected servers are possibly being drawn into a larger network for additional cybercrime operations.

“Functionality is limited, but includes the ability to download and execute files as commanded, as well as changing servers,” Jarmoc explained. “There’s no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands.”

Despite the danger posed by the attack, administrators can protect themselves by updating to the latest version of Ruby on Rails. A patch for the targeted vulnerabilities has been available since early this year, and all Ruby on Rails servers running versions 3.0.20 and 2.3.16 and later will be protected from the exploit.

A popular platform for web development, Ruby on Rails has not traditionally been the popular attack target that platforms such as Java have become. Because of the high risk posed by a successful attack, however, the platform could become more attractive to cyber criminals.

Chester Wisniewski, senior security advisor at Sophos, told V3 that the high value of Linux servers is enough to lure attackers even to platforms that are not deployed on a massive scale.

“Anytime there is a vulnerability in a widely deployed software stack like Ruby on Rails it takes years for all of the server administrators around the world to get around to patching it,” Wisniewski explained.

“In fact it is likely far worse on Linux computers, which are perceived to be more secure and are not patched on a regular schedule like Windows, Java, Flash and other widely exploited software packages.”