Hackers jump on the Shellshock Bash bandwagon

New attack for Bash flaw sees hackers spreading a remote access control tool to spy on target systems.

The Bash bug known as Shellshock has been described as "horrible", easy to exploit, and as ZDNet reported yesterday, is already being used by attackers to target vulnerable Linux servers across the globe.

Now, according to one researcher, hackers who are more interested in spying than disabling websites have joined the fray.

Given the severity of the Bash bug disclosed this week, UK CERT yesterday issued an upgraded alert, warning as others have that Shellshock is likely to affect a much wider community than the last potential security disaster known as Heartbleed.

That's because, as Australian security researcher Troy Hunt points out, around 500 million websites are powered by Apache, are likely running Linux, and almost certainly have Bash installed.

Read this

Shellshock: How to protect your Unix, Linux and Mac servers

The Unix/Linux Bash security hole can be deadly to your servers. Here's what you need to worry about, how to see if you can be attacked, and what to do if your shields are down.

Read More

Anti-virus company Kaspersky said the the vulnerability "has already been used for malicious intentions" including infecting vulnerable web servers with malware, and also in hacker attacks, and noted: "The key thing to understand is that the vulnerability is not bound to a specific service, for example Apache or nginx. Rather, the vulnerability lies in the bash shell interpreter and allows an attacker to append system level commands to the bash environment variables."

A security researcher at malwaremustdie.org who analysed hackers' first attempt at exploiting the bug yesterday  found that the Linux malware was designed to launch distributed denial of service (DDoS) attacks as well as guess the passwords of vulnerable servers.

The same group says it has now dissected another malware sample exploiting the same Bash bug, and told ZDNet this sample is showing clear signs suggesting the operators — likely located in China — are less interested in crippling websites than they are in spying on targets.

"This one is backdoor malware. The malware can make your servers/routers into a remote access terminal (RAT) for the further malicious activities. It was coded with the shellcode in assembler, the things that I know very well, so it doesn't take much time to reverse it," the researcher said.

The rapid emergence of multiple pieces of attack-ware aimed at exploiting the bug comes as Linux distributors continue to work on developing a complete patch for the bug.

As Malwaremustdie notes on its blog, the "fun" has only just begun. In other words, expect more malware to come.

Read more on malware