SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
2 Oct 2014

Hackers are already using the Shellshock

Multiple attacks were already taking advantage of that vulnerability, a long-standing but undiscovered bug in the Linux and Mac tool Bash that makes it possible for hackers to trick Web servers into running any commands that follow a carefully crafted series of characters in an HTTP request. 

With a bug as dangerous as the “shellshock” security vulnerability discovered, it takes less than 24 hours to go from proof-of-concept to pandemic. 

The shellshock attacks are being used to infect thousands of machines with malware designed to make them part of a botnet of computers that obey hackers’ commands. And in at least one case the hijacked machines are already launching distributed denial of service attacks that flood victims with junk traffic, according to security researchers. The attack is simple enough that it allows even unskilled hackers to easily piece together existing code to take control of target machines, says Chris Wysopal, chief technology officer for the web security firm Veracode.

“People are pulling out their old bot kit command and control software, and they can plug it right in with this new vulnerability,” he says. “There’s not a lot of development time here. People were compromising machines within an hour of yesterday’s announcement.”

Wysopal points to attackers who are using a shellshock exploit to install a simple Perl program found on the open source code site GitHub. With that program in place, a command and control server can send orders to the infected target using the instant messaging protocol IRC, telling it to scan other networked computers or flood them with attack traffic. “You install it on the server that you’re able to get remote command execution on and now you can control that machine,” says Wysopal.

The hackers behind another widespread exploit using the Bash bug didn’t even bother to write their own attack program. Instead, they rewrote a proof-of-concept script created by security researcher Robert David Graham Wednesday that was designed to measure the extent of the problem. Instead of merely causing infected machines to send back a “ping” as in Graham’s script, however, the hackers’ rewrite instead installed malware that gave them a backdoor into victim machines. The exploit code politely includes a comment that reads “Thanks-Rob.”

The “Thanks-Rob” attack is more than a demonstration. The compromised machines are lobbing distributed denial of service attacks at three targets so far, according to researchers at Kaspersky Labs, though they haven’t yet identified those targets. The researchers at the Russian antivirus firm say they used a “honeypot” machine to examine the malware, locate its command and control server and intercept the DDoS commands it’s sending, but haven’t determined how many computers have already been infected.

Based on his own scanning before his tool’s code was repurposed by hackers, Graham estimates that thousands of machines have been caught up in the botnet. But millions may be vulnerable, he says. And the malware being installed on the target machines allows itself to be updated from a command and control server, so that it could be changed to scan for and infect other vulnerable machines, spreading far faster. Many in the security community fear that sort of “worm” is the inevitable result of the shellshock bug. “This is not simply a DDoS trojan,” says Kaspersky researcher Roel Schouwenberg. “It’s a backdoor, and you can definitely turn it into a worm.”

The only thing preventing hackers from creating that worm, says Schouwenberg, may be their desire to keep their attacks below the radar—too large of a botnet might attract unwanted attention from the security community and law enforcement. “Attackers don’t always want to make these things into worms, because the spread becomes uncontrollable,” says Schouwenberg. “It generally makes more sense to ration this thing out rather than use it to melt the internet.”

The Bash bug, first discovered by security researcher Stéphane Chazelas and revealed Wednesday in an alert from the US Computer Emergency Readiness Team (CERT), still doesn’t have a fully working patch. On Thursday Linux software maker Red Hat warned that a patch initially released along with CERT’s alert can be circumvented.

But Kaspersky’s Schouwenberg recommended that server administrators still implement the existing patch; While it’s not a complete cure for the shellshock problem, he says it does block the exploits he’s seen so far. In the meantime, the security community is still bracing for the shellshock exploit to evolve into a fully self-replicating worm that would increase the volume of its infections exponentially. Veracode’s Chris Wysopal says it’s only a matter of time. “There’s no reason someone couldn’t modify this to scan for more bash bug servers and install itself,” Wysopal says. “That’s definitely going to happen.”

Tags:
ShellShock information leaks
Source:
WIRED
2193
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015