Making Sense Of Shellshock Attack Chaos

Attacks against the Bash bug increase in volume and variety, with an emphasis on information gathering and botnet building.

As security teams reel from last weeks
Shellshock headlines
, attackers are catching on quickly to the vulnerability. Exploits have rapidly come out of the woodwork. Researchers immediately warned this major vulnerability in Bash would likely have a
much worse impact than Heartbleed
, considering the severity of the exploit and its pervasive presence in so many Linux and UNIX systems. The resulting attacks are starting to crystallize their picture of the threat.
Ever since the shellshock vulnerability has been announced, we have seen a large number of scans probing it,
according to a post by Johannes Ullrich
, director of the SANS Internet Storm Center. Ullrich reports a number of different attacks, including vulnerability checks using multiple headers and simple vulnerability checks using custom user agents.
According to
Incapsula research released Friday
, in just 24 hours, it recorded 17,400 attacks against its WAF installed base, lashing out at approximately 1,800 domains. The attacks are originating from 400 unique IP addresses, with more than half of them in China or the US. Researchers have noted not only an increasing volume of attacks, but also a growing variety of ways attackers are leveraging the Bash bug to commandeer web servers.
For example, Kaspersky Labs Stefan Ortloff
detailed two attacks
. One, known as a reverse-connect-shell, will just create a new instance of bash and redirect it to a remote server listening on a specific TCP port. The other uses specially crafted HTTP-requests to start installing Linux backdoors on victims servers.
However, much of the early criminal activity seems to center on the bad guys building up their botnets using the newly discovered vulnerability.
What we are seeing here are hackers using existing botnets to create new ones: running automated scripts from compromised servers to add more hijacked machines to their flock, Ofer Gayer, a researcher for Incapsula, explained in a blog post. During the last 24 hours we saw several botnet shepherds using repurposed DDoS bots in an attempt to exploit Shellshock vulnerability to gain server access.
This has been confirmed by researchers in Italy, who report that a botnet called wopbot running on Linux servers went to work last week DDoSing Akamais content delivery network and running large-scale scans against the US Department of Defense for brute force attack purposes, according to researchers at Kaspersky. And researchers at FireEye
ran down a laundry list of exploitation techniques
already seen in Shellshock traffic. They include automated click fraud, password stealing, and backdoor installation, with payloads that include reverse shell Perl scripts, UDP flood attacks, and IRC-based DDoS.
The Shellshock traffic we have been able to observe is still quite chaotic, writes James Bennett of FireEye. It is largely characterized by high volume automated scans and PoC-like exploit scripts.
Meantime, researchers at TrendMicro wrote this morning of an
attack they followed against a Chinese financial institution
that should give security teams pause. Attackers in that instance were simply trying to see if several IPs owned by the institution were vulnerable to the Shellshock bug.
Further analysis revealed that three of the tested IPs were possibly vulnerable, as the attackers tried to the use the command /bin/uname -a. The command uname displays system information, including the OS platform, the machine type, and the processor information, Trend researchers wrote. At first glance, retrieving system information might seem harmless. But as we mentioned before, the information-gathering could possibly be a sign of preparation for more damaging routines.
This kind of early attack could be laying the groundwork for future attacks -- and it is looking like it is not an isolated incident of attack reconnaissance.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Making Sense Of Shellshock Attack Chaos