Hackers are scrambling to exploit the newly discovered Shellshock bug just hours after its discovery was made public on Thursday, Sept. 25, while security firms race against hackers to patch a gaping security hole that they admit will be a challenge to fix.
Shellshock is a security flaw discovered in the Bourne Again Shell, also known as Bash, a text-based command line interface used in Linux, Unix and Mac operating systems. Security experts have labelled Shellshock "as big a deal as Heartbleed" because of the widespread use of Bash across all types of computer systems and other devices.
Chris Wysopal, chief technology officer at Veracode online security firm, says it does not take sophisticated knowledge for a newbie to exploit the vulnerable Bash. In fact, a group of attackers are already using Shellshock to command infected devices to scan networked computers or flood them with traffic attacks using the IRC instant messaging protocol.
"People are pulling out their old bot kit command and control software, and they can plug it right in with this new vulnerability," Wysopal said. "There's not a lot of development time here. People were compromising machines within an hour of yesterday's announcement."
Wysopal also pointed to another group that took advantage of a proof-of-concept script written by Robert Graham of Errata Security. The exploit, dubbed Thanks Rob because of a piece of code thanking the security researcher, allows the attackers to install malware in infected machines, which are now being used to launch distributed denial of service (DDoS) attacks at three unidentified targets.
Russian security firm Kaspersky Labs confirmed Wysopal's discovery, saying they used a honeypot server, a machine that identifies what kind of malicious activity and how much of it is going on in the Internet, to examine the malware. Kaspersky said they were able to locate the command center where the DDoS attacks were coming from and were able to intercept the attacks, but were not able to determine how many machines were compromised or who the attackers and victims were.
"This is not simply a DDoS Trojan," said Roel Schouwenberg, researcher at Kaspersky. "It's a backdoor, and you can definitely turn it into a worm."
Shellshock was first discovered by security researcher Stéphane Chazelas of Akamai Technologies on Wednesday, Sept. 24. Major Linux vendors, including Red Hat, Ubuntu, Suse and Debian, have already released patches, but Red Hat came out on Thursday saying that the patch is "incomplete."
Kaspersky, however, recommends server administrators still implement the incomplete patch as it seems to be effective in securing machines against the exploits already taking place.
Security experts believe Shellshock is relatively easy to patch. However, the problem lies in the prevalence of Bash and in identifying how many machines are actually vulnerable to attacks.
"We don't actually know how widespread this is," said security researcher Dan Kaminsky. "This is probably one of the most difficult-to-measure bugs that has come along in years."