The Shellshock vulnerability has already become the focus for malicious scanning and at least one botnet but crooks are still testing the waters with the vulnerability and much worse could follow, security watchers warn.
Net security firm FireEye said it has seen all manner of overtly malicious traffic leveraging the Bash bug, including DDoS attacks, malware droppers, reverse shell hacks, backdoors and data exfiltration. Some of the suspicious activity seems to be originating from Russia.
Attackers have deployed scanners looking for vulnerable machines that have been bombarding networks with traffic since mid-day Wednesday. So far, the Common Gateway Interface vector (an interface between a web server and executables that produce dynamic content) has received the bulk of the attention from attackers. However the scope of the Bash Shell Shock bug extends far behind web servers.
"We suspect bad actors may be conducting an initial dry run, in preparation for a real, potentially larger-scale attack," FireEye warns.
The initial patch for the vulnerability was quickly discovered to be inadequate. Further patches against related vulnerabilities were released over the weekend. With the ease of exploitation, the simplicity of the vulnerability and the very large Bash userbase, the problem is likely to remain with us for months rather than weeks.
Elsewhere, security researchers at Incapsula logged more than 17,400 attacks at an average rate of 725 an hour. More than 1,800 domains in its network of tens of thousands of websites were attacked. Attacks originated from 400 unique IP addresses. More than 55 per cent of all attacks originated from China and US, a marked different from FireEye's finding that much of the problem came from Russia.
The Internet Storm centre has moved to InfoCon:Yellow because it has seen signs of signs of worm/botnet activity that show no signs of letting up any time soon.
An active IRC bot making use of the Bash bug vulnerability to press-gang vulnerable systems into a zombie network that's been used to run DDoS attacks is making waves as well. Yet it's far from the only malware payload in play, as a blog post by Trend Micro explains. ®