With a bug as dangerous as the “shellshock” security vulnerability discovered yesterday, it takes less than 24 hours to go from proof-of-concept to pandemic.
As of Thursday, multiple attacks were already taking advantage of that vulnerability, a long-standing but undiscovered bug in the Linux and Mac tool Bash that makes it possible for hackers to trick Web servers into running any commands that follow a carefully crafted series of characters in an HTTP request. The shellshock attacks are being used to infect thousands of machines with malware designed to make them part of a botnet of computers that obey hackers’ commands. And in at least one case the hijacked machines are already launching distributed denial of service attacks that flood victims with junk traffic, according to security researchers.
The attack is simple enough that it allows even unskilled hackers to easily piece together existing code to take control of target machines, says Chris Wysopal, chief technology officer for the web security firm Veracode. “People are pulling out their old bot kit command and control software, and they can plug it right in with this new vulnerability,” he says. “There’s not a lot of development time here. People were compromising machines within an hour of yesterday’s announcement.”
Wysopal points to attackers who are using a shellshock exploit to install a simple Perl program found on the open source code site GitHub. With that program in place, a command and control server can send orders to the infected target using the instant messaging protocol IRC, telling it to scan other networked computers or flood them with attack traffic. “You install it on the server that you’re able to get remote command execution on and now you can control that machine,” says Wysopal.
The hackers behind another widespread exploit using the Bash bug didn’t even bother to write their own attack program. Instead, they rewrote a proof-of-concept script created by security researcher Robert David Graham Wednesday that was designed to measure the extent of the problem. Instead of merely causing infected machines to send back a “ping” as in Graham’s script, however, the hackers’ rewrite instead installed malware that gave them a backdoor into victim machines. The exploit code politely includes a comment that reads “Thanks-Rob.”
The “Thanks-Rob” attack is more than a demonstration. The compromised machines are lobbing distributed denial of service attacks at three targets so far, according to researchers at Kaspersky Labs, though they haven’t yet identified those targets. The researchers at the Russian antivirus firm say they used a “honeypot” machine to examine the malware, locate its command and control server and intercept the DDoS commands it’s sending, but haven’t determined how many computers have already been infected.
Based on his own scanning before his tool’s code was repurposed by hackers, Graham estimates that thousands of machines have been caught up in the botnet. But millions may be vulnerable, he says. And the malware being installed on the target machines allows itself to be updated from a command and control server, so that it could be changed to scan for and infect other vulnerable machines, spreading far faster. Many in the security community fear that sort of “worm” is the inevitable result of the shellshock bug. “This is not simply a DDoS trojan,” says Kaspersky researcher Roel Schouwenberg. “It’s a backdoor, and you can definitely turn it into a worm.”
The only thing preventing hackers from creating that worm, says Schouwenberg, may be their desire to keep their attacks below the radar—too large of a botnet might attract unwanted attention from the security community and law enforcement. “Attackers don’t always want to make these things into worms, because the spread becomes uncontrollable,” says Schouwenberg. “It generally makes more sense to ration this thing out rather than use it to melt the internet.”
The Bash bug, first discovered by security researcher Stéphane Chazelas and revealed Wednesday in an alert from the US Computer Emergency Readiness Team (CERT), still doesn’t have a fully working patch. On Thursday Linux software maker Red Hat warned that a patch initially released along with CERT’s alert can be circumvented.
But Kaspersky’s Schouwenberg recommended that server administrators still implement the existing patch; While it’s not a complete cure for the shellshock problem, he says it does block the exploits he’s seen so far.
In the meantime, the security community is still bracing for the shellshock exploit to evolve into a fully self-replicating worm that would increase the volume of its infections exponentially. Veracode’s Chris Wysopal says it’s only a matter of time. “There’s no reason someone couldn’t modify this to scan for more bash bug servers and install itself,” Wysopal says. “That’s definitely going to happen.”