First attacks using 'shellshock' Bash bug discovered

Security researchers have found the first malware using the new Bash bug.
Written by Liam Tung, Contributing Writer

Within a day of the Bash bug dubbed 'shellshock' being disclosed, it appears that attackers are already looking for ways to use it for their advantage.

Security researchers have found proof of concept code that attempts to exploit the serious bug discovered this week in Bourne-Again Shell, also known as Bash, which according to US CERT affects both Linux and Mac OS X.

The good news yesterday that some Linux distributions shipped patches for the bug yesterday has already been tempered by the discovery that those patches only partially dealt with potential attacks. In an update overnight, Red Hat said that it was developing a new patch, however, it is still advising users to apply the incomplete one for now.

At the same time as security experts have been racing to develop fixes for the bug and patch systems, it appears hackers have been working on tools to attack vulnerable systems.

Security researcher Yinette yesterday reported discovering the first attack in the wild that exploits the bug, which has been officially documented as CVE-2014-6271.

Security researchers malwaremustdie.org have since analysed the malware, finding numerous functions including distributed denial of service (DDoS) IRC bot as well as a feature that attempts to guess passwords and logins on vulnerable servers, using a list of poor passwords such as 'root', 'admin', 'user', 'login', and '123456'.

AusCERT earlier yesterday also claimed to have received reports the bug was being exploited in the wild.

Meanwhile, security researcher Robert Graham claims to have found at least 3,000 systems vulnerable to the bug. However Graham's scan only looked at systems on port 80; the researcher noted embedded webservers on odd ports are the real danger and a scan for these "would give a couple times more results".

He also warned that DHCP services are also vulnerable, as reported in the initial advisory. "Consequently, even though my light scan found only 3,000 results, this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable — once the worm gets behind a firewall and runs a hostile DHCP server, that would "game over" for large networks."

Read more on security

Editorial standards