Within hours of the Shellshock/Bash vulnerability being disclosed, attacks targeting it in the wild to download additional malware were detected.
According to Zscaler’s ThreatLabZ research team, upon successful exploitation of the CVE-2014-6271 vulnerability, an attacker is able to download and install a malicious ELF binary on the target Linux system. The malware connects to a predetermined Command and Control server on a specific port and awaits further instructions from the attacker.
Other reports of attacks were spotted by other threat labs. According to AlienVault’s Jaime Blasco, it began running a new module in its honeypots upon notification of the flaw, and it observed “several hits” in the last 24 hours.
He said: “Most of them are systems trying to detect if the system is vulnerable and they simply send a ping command back to the attacker’s machine.” He also said that the honeypot received another interesting attack from a file with a PERL script that seems to be a repurposed IRC bot that connects to an IRC server and waits for commands.
Blasco said: “As soon as the infected machine connects to the IRC server (188.8.131.52) on port 443, it joins a channel on the IRC server. It seems there are 715 users (probably victims) connected to the server right now. As soon as new victims join the server, the attackers are executing the command “uname -a” to determine the operating system that is running on the victim as well as “id” to check the current username. Since our honeypot joined the server, more than 20 new victims have become part of the botnet.”
Wolfgang Kandek, CTO of Qualys, said: “Our Web Application Firewall has the signatures needed to detect and block Shellshock attacks against websites. The detection is very reliable and is activated by default in the “normal” and “aggressive” settings on the WAF configuration page.
“Qualys scanners are considered not exploitable via the BASH vulnerability. Although Qualys scanners have a version of Bash vulnerable to CVE-2014-6271 installed, the scanner exposes no listening interfaces and services to the network, closing the common attack vectors discussed in the release of CVE-2014-6271. Further Bash is not used in any of the communication mechanisms that the scanner uses: scan dispatching, software updates and monitoring. We will update Bash on the scanner in the next system update cycle.”
Check Point said in an update that it had released an IPS signature to protect customer environments. It said: “The signature enables organisations to add a layer of protection to their network during the time they need to update their systems with vendor provided patches. This protection will detect and block attempts to exploit this vulnerability.”