Security researchers released two new Shellshock-related attack warnings today as they witness criminals increasingly take advantage of the Bash bug in UNIX and Linux systems. The first warning is for an attack targeting SMTP servers found by Trend Micro, and the second is research-backed confirmation by Akamai that the bad guys are building their botnets out using Shellshock-vulnerable systems.
Meanwhile, at the same time today, researchers with Solutionary Security Engineering Research Team (SERT) released a report that showed just how quickly attackers have altered their methods to leverage Shellshock. According to the report, 67% of traffic captured with Shellshock signatures was related to already known bad sources, which means attackers have simply morphed their attacks to include Shellshock exploitation. And that's happened fast -- attacks started within 24 hours of the vulnerability's first announcement.
"This vulnerability has accelerated the timeline typically observed when a new vulnerability is discovered," the report stated.
The attacks seem to be accelerating, and as many researchers previously predicted much of the early activity is coming from distributed denial of service (DDoS) botnet builders. Akamai's report today details the risks it analyzed after being attacked by a DDoS Internet relay chat (IRC) botnet built using Shellshock.
"Malicious actors are taking advantage of the Bash vulnerability to build and grow their Botnets," Akamai's researchers wrote. "The campaign is in the initial stages of probing and testing to footprint vulnerable victims."
According to its report, most of the observed botnets using Shellshock are being controlled by IRC. This is precisely the kind of bot being downloaded and executed using the new attack technique dissected by Trend Micro today.
Its researchers showed that the criminals are using email to deliver exploit code aimed at vulnerable SMTP servers to install an IRC bot known as JST Perl Irc Bot. In this instance, the attacker sends a custom email that has malicious code inserted in the Subject, From, To, and CC fields to potentially vulnerable SMTP servers. When vulnerable mail servers receive the malicious message, the embedded payload is executed, an IRC bot is downloaded and executed, and a connection is established to the controlling IRC server. From there the attacker can leverage the mail server.
"This SMTP attack highlights yet another platform for attackers to exploit the Shellshock vulnerability to launch IRC bots," Trend researchers wrote in a blog outlining the discovery details. "We recommend IT administrators to block all related IPs and domains related to this attack."
As these attacks continue to ramp up, Akamai exhorts organizations to patch their systems for Shellshock if they haven't already.
"The ease with which this bug can be exploited creates a situation where unpatched systems can be used easily to propagate the botnet’s reach and capacity," Akamai warns.