As vendors such as Red Hat Inc. and Apple continue to work on patches that address the "Shellshock" vulnerability in Bourne-again shell (Bash), new evidence shows attackers are already attempting to exploit the flaw.
The Bash security vulnerability, CVE-2014-6271, has been the subject of intense public speculation since it was announced on Wednesday, with many security experts saying the bug could be worse than the infamous Heartbleed OpenSSL flaw. The vulnerability can be triggered by placing malicious code at the end of a function before it is handled by the Bash shell, which is a default inclusion in the Linux operating system and found in Apple's Mac OS X.
Part of what makes the bug so dangerous is how easily an attacker could exploit it remotely -- a big part of the reason why it was rated as a 10.0 for exploitability on the Common Vulnerability Scoring System (CVSS), the highest possible rating. In conjunction with the widespread nature of the flaw, it is not surprising to find attackers quickly taking advantage of the situation.
First, Errata Security CEO Robert Graham posted research on his company's blog showing how the Bash security vulnerability would potentially be "wormable" by scanning the Internet for vulnerable systems. It has since been discovered that attackers repurposed Graham's script to download malware when vulnerable systems respond. The attackers even placed "Thanks-Rob" into the code, now hosted on GitHub, in reference to Graham's work.
"Someone is using masscan to deliver malware. They'll likely have compromised most of the system I've found by tomorrow morning," Graham said in the blog post. "If they are using different URLs and fix the Host field, they'll get tons more."
Johannes Ullrich, head of the SANS Institute's Internet Storm Center, confirmed in a blog post on the SANS website that the research organization's Web servers have been subjected to multiple exploitation attempts targeting the Bash vulnerability. Ullrich said attackers are currently calling CGI scripts via scans in the hopes of finding vulnerable systems, though DHCP clients and SSH servers could also be exploited.
Jaime Blasco, director of AlienVault Labs, posted further evidence on the vendor's blog yesterday showing attackers attempting to exploit the Bash vulnerability. AlienVault set up honeypots to detect exploit attempts, Blasco said, and within 24 hours, several systems had been spotted scanning the honeypots for vulnerable machines.
More intriguingly, Blasco said two separate attackers were actually discovered trying to install malware. The first attack downloaded an Executable and Linkable (ELF) binary that fingerprints and tries to steal system information -- it even contains code for fingerprinting honeypots. The malware attempts to open a connection to a command-and-control (C&C) server and supports a number of commands, several of which are used for denial-of-service attacks.
Blasco said the other malware sample collected by AlienVault was a repurposed IRC bot that was seemingly controlled by Romanian-speaking attackers. The attack is started by a PERL script that infects a vulnerable machine, which is then connected to an IRC server (184.108.40.206) on port 443. Once a victim is connected, attackers execute two commands -- "uname –a" and "id" -- to check for the username and operating system.
There were 715 users connected to the IRC server when the AlienVault honeypot system was infected, according to Blasco, and 20 more joined the botnet by the time the blog post went live.
"We have seen the main purpose of the bots is to perform distributed denial-of-service attacks," said Blasco via email.
For more on the Bash security vulnerability, read our coverage on how social media users have reacted.