Attackers Exploit Shellshock BugBotnet Exploits Linux Systems; Apple Promises Patches
See Also: Managing API Security
That warning has been sounded by Jaime Blasco, director of AlienVault Labs, an information security research group. He says honeypots being run by his company to study online attacks have so far detected two different attack campaigns that target Shellshock. One attempts to install a malicious Linux binary file on vulnerable systems, while the other tries to infect them with a malicious Perl script.
The first attacks targeting Shellshock were detected less than 24 hours after the vulnerability was publicly announced. The bug may be present on more than 500 million systems and devices that run the Unix operating system, or which embed Unix software. Apple has confirmed that some Mac OS X users are also at risk from the vulnerability.
Shellshock refers to a bug in the Bash utility, which runs on the vast majority of Unix systems. "It affects Bash - the Bourne Again Shell, the default command shell for Linux and other Unix flavors including Mac OS X," Blasco says in a blog post. "The vulnerability is critical since it can be exposed on Web servers that use mod_cgi or code that calls the bash shell. Other systems that are probably affected are network services and daemons that use shell scripts with environmental variables."
Malware Targets Apache Module
Multiple information security researchers have detected the attacks that are designed to install a malicious Linux binary file on vulnerable systems. To date, the attacks have targeted both Nginx and Apache Web servers configured to use mod_cgi, which handles CGI scripts, which are widely used for generating dynamic content on websites.
Trend Micro says the malware that gets installed - in the event of a successful attack - is a Linux Trojan called Bashlite, a.k.a. Flooder, which is designed to launch distributed-denial-of-service attacks attacks.
The name of the malicious file that gets installed on compromised systems is either "apache" or "nginx," depending on the type of server that gets exploited, "presumably to blend in," Michael Sutton, VP of security research at cloud security firm Zscaler, tells Information Security Media Group. According to Deepen Desai, Zscaler's director of security research, "the two malware payloads that were getting dropped had almost zero AV detection" when they were first spotted. But about 24 hours later, "the detection level is slightly better," with 23 out of 55 antivirus engines on VirusTotal now flagging the malware.
The malware also includes a list of common credentials that it uses to try and gain brute-force access to the sites it's attempting to DDoS. AlienVault's Blasco says the usernames and passwords hardcoded into the malware include the following: "root, admin, user, login, guest, toor, changeme, 1234, 12345, 123456, default, pass, password."
Perl Script Builds Botnet
Blasco says his honeypots also detected Shellshock exploits designed to execute a malicious Perl script. "It seems it is a repurposed IRC bot that connects to an IRC server and waits for commands," he says. "There are 715 users - probably victims - connected to the server right now." The attackers appear to be Romanian-language speakers, based on chatter he's found on the related IRC channel.
The code for the Perl bot also appears to have been posted on Pastebin.
IRC bots can be used for a range of malicious activities, including launching DDoS attacks, scanning websites for known vulnerabilities - and then exploiting them - as well as verifying stolen credit-card numbers.
Many Shellshock Fixes Forthcoming
The malware attacks demonstrate the information security risks now facing users of any Unix device, be it an Apache server or a router that runs embedded Linux.
In addition, many users now face risks from two Bash-related vulnerabilities. The first is the full Bash flaw, which has been assigned the vulnerability designation CVE-2014-6271. But users must also now beware CVE-2014-7169, which NIST says "exists because of an incomplete fix for CVE-2014-6271."
While multiple Unix operating system providers have shipped updates that patch the first Bash vulnerability, they've helped create the second, to which they're still susceptible. But Linux provider Red Hat has urged users to install the patched version of its software anyway, since the new vulnerability is reportedly much less severe than the full Bash flaw. To date, furthermore, security researchers have only seen malware targeting the full Bash bug - CVE-2014-6271 - rather than the newer and reportedly less severe flaw.
Apple Promises Patch
The Shellshock vulnerability also poses a risk to some Mac OS X users. Apple didn't immediately respond to a request for comment about which versions of its operating system might be vulnerable, and in which types of situations. But Apple tells iMore that most Mac users won't be at risk.
"The vast majority of OS X users are not at risk to recently reported bash vulnerabilities," Apple says in a statement. "Bash, a Unix command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced Unix services. We are working to quickly provide a software update for our advanced Unix users."
Until Apple releases a fix, Europol cybersecurity advisor and University of Surrey computing professor Alan Woodward tells Information Security Media Group that "the safest thing is just to assume that if you're running something that runs Bash, then you need to upgrade." In the interim, he recommends all Mac OS X users disable its remote login feature.
Vulnerable Devices Widespread
Beyond Apple, how many devices might be affected by the Bash bug? Since more than half of the world's 1 billion Web servers run Apache, the number of potentially affected systems exceed 500 million, compared to the 500,000 systems that were found to be vulnerable to the OpenSSL vulnerability known as Heartbleed.
Meanwhile, a simple Internet scan conducted using the Shodan search engine cataloged 16 million systems - including servers and routers - that use an Internet protocol such as HTTP and HTTPS, "and where CGI showed up in the header reply from the first point of contact," Woodward says.
While that's not meant to be an exhaustive count of all such devices, it shows that those sites are likely using Bash, and thus vulnerable to being exploited, unless they've been patched. Of those 15 million systems, 5.4 million are in the United States - the vast majority hosted by Comcast - followed by about 1 million in Columbia, and 900,000 in Brazil.