Security firms gathering data on hacker strategies to exploit Shellshock bug

Share

While Apple Inc. tried Friday to reassure users of its Mac computers about the threat of the Shellshock bug, security firms started documenting efforts by hackers to exploit the newly disclosed programming flaw.

"We saw the first attempts by criminals to take advantage of this widespread vulnerability," Stefan Ortloff, an analyst at Kaspersky Lab, wrote on his company's security blog.

Another security firm, Alien Vault Labs, also noted attempts to install malicious software through the Shellshock defect, including one malware that appeared to be written by Romanian hackers and was trying to connect to 715 other victims.

The intruders have not deployed sophisticated viruses so far but Mr. Ortloff cautioned in an interview that "it is not important what kind of software was installed because, when you can exploit a Web server this way, you can install any software."

Shellshock is the common name of a programming flaw officially known as CVE-2014-6271, which affects Unix-based operating systems, including OS X, which runs Apple's Mac computers. Windows users are not affected.

Those machines use an interface called Bash, which is used to send commands directly to the computer's operating system.

Earlier this month, an independent French programmer, Stéphane Chazelas, discovered that Bash could be tricked into allowing additional codes to be tacked at the end of a command, Most Mac users are safe from Shellshock, Apple said Friday, adding that it was working on a software patch to protect those who are vulnerable.

"The vast majority of OS X users are not at risk to recently reported Bash vulnerabilities," Apple spokeswoman Tara Hendela said in a statement.

"Bash ... has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of Bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users."

The CVE-2014-6271 vulnerability was only made public Wednesday to give programmers who maintain Bash time to develop a remedy.

Four-and-a-half hours after the announcement, "we started seeing scans looking for the vulnerability," Waylon Grange, senior malware researcher at Blue Coat Systems wrote on a company blog.

Like other firms, Alien Vault ran a honeypot operation – a server intentionally set up to draw attackers so their methods could be studied.

"We have had several hits in the last 24 hours," Alien Vault director Jaime Blasco wrote on his company website.

One of the malwares detected by Alien Vault appears to be similar to one of those detected by Kaspersky, Mr. Ortloff said.

He said the malware creates a "backdoor" in the infected server, covertly installing a piece of code that can be used to unleash distributed denial-of-service attacks (DDoS).

(In a DDoS, an infected Web server will be commandeered by an intruder to join a network of compromised machines that disable another server by flooding it continuously with bogus requests.) The malware detected by Kaspersky and Alien Vault held a small dictionary of possible default passwords – such as "1234," "guest" or "password" – that it could use to attempt a forced entry elsewhere.

The malicious code isn't sophisticated and appears to have been an older software hastily reconfigured to exploit Shellshock, Mr. Ortloff said.

As such, there is still no evidence that hackers exploited Shellshock before its existence became public this week. The flaw has existed since Bash was developed in the late 1980s.

In Ottawa, "when the government became aware of this vulnerability, all federal government organizations were directed by the Chief Information Officer for the Government of Canada to patch affected systems on a priority basis," Treasury Board spokeswoman Kelly James said in an e-mailed statement.

"For affected systems where no patch is available, departments have been directed to take those systems offline."