Following warnings about the Shellshock/Bash vulnerability, multiple attacks have already begun to be spotted which take advantage of it.
According to Wired, the flaw is being used to infect thousands of machines with malware designed to make them part of a botnet. In at least one case, the hijacked machines are already launching distributed denial of service (DDoS) attacks that flood victims with junk traffic.
Also, rather than writing their own attack program, those behind the attack rewrote a proof-of-concept script created by security researcher Robert Graham that was designed to measure the extent of the problem. Instead of merely causing infected machines to send back a “ping” as in Graham’s script, the hackers’ rewrite instead installed malware that gave them a backdoor into victim machines. The exploit code politely includes a comment that reads “Thanks-Rob.”