From Thursday on, several security firms reported a drastic uptick in the number of attacks that leverage the recently disclosed vulnerability in GNU Bash (CVE-2014-6271), widely known as Shellshock.
On Friday, AlienVault labs reported that the flaw was being used by two attackers to install two different pieces of malware on the victim system. One of the malicious payloads will join the victim's system to a botnet, which based on the traffic in the IRC channel, is likely ran by a group out of Romania. The other payload fingerprints the victim's system and opens a backdoor, enabling remote access.
Security firm Incapsula reported that they've observed more than 17,000 attacks (an average of 725 attacks per hour) since Shellshock was disclosed on Wednesday.
In a blog post, the company says that more than 1,800 domains have been targeted, and the origin of these attacks are scattered between 400 IP addresses. A majority of the attacking IP addresses are assigned to systems in China and the U.S.
"What we are seeing here are hacker using existing botnets to create new ones: running automated scripts from compromised servers to add more hijacked machines to their flock. During the last 24 hours we saw several botnet shepherds using repurposed DDoS bots in an attempt to exploit Shellshock vulnerability to gain server access," Incapsula's post explained.
Researchers at Trend Micro have documented several attacks since Friday, including the botnet attack discovered by AlienVault and Incapsula. Later in the day, they also detected a DDoS attack from servers that appear to have been compromised by Shellshock (based on the code running on them). Furthermore, Trend also disclosed that several official institutions in Brazil were being targeted by scanners that were looking for Shellshock-related openings.
"It does not seem to have any real payload or doing any real damage, however, only taking what appears to be information about the systems it’s trying to infiltrate – but in the world of cybercrime and cyber attacks, that may change soon enough. We believe that the information-gathering could be a sign of preparation for a bigger, much more damaging attack," Trend said of the scans in Brazil.
On Saturday, FireEye released details on several proof-of-concept scripts related to Shellshock, which in theory would allow an attacker to perform a number of tasks including, click fraud, establishing a reverse shell (with or without Perl), email reconnaissance, capturing the system's /etc/passwd (password) file, botnet creation (several variants), and UDP floods.
"We suspect bad actors may be conducting an initial dry run, in preparation for a real, potentially larger-scale attack. We believe it’s only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise," FireEye wrote.
When the Shellshock vulnerability was disclosed on Wednesday, nearly all of the Linux / UNIX distributions released fixes that would correct the problem. However, researchers quickly determined that they were incomplete, leaving patched systems exposed to variations on the original attack vector.
This led to the publication of four additional CVE advisories (CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, and CVE-2014-6277), but administrators and system operators are encouraged to update GNU Bash with all of the latest fixes and to apply additional patches as they are released. So far, there have been three updates to GNU Bash since the problem was publicly disclosed.
Finally, Apple addressed Shellshock in a statement this weekend, noting that a "vast majority" of OS X users were not at risk because OS X systems were "safe by default and not exposed to remote exploits of [GNU Bash] unless users configure advanced UNIX services."
For those with advanced services enabled, Apple is working on an update.