With a bug as dangerous as the “shellshock” security vulnerability discovered yesterday, it takes less than 24 hours to go from proof-of-concept to pandemic.
As of Thursday, multiple attacks
were already taking advantage of that vulnerability, a long-standing but
undiscovered bug in the Linux and Mac tool Bash that makes it possible for
hackers to trick Web servers into running any commands that follow a carefully
crafted series of characters in an HTTP request. The shellshock attacks are
being used to infect thousands of machines with malware designed to make them
part of a botnet of computers that obey hackers’ commands. And in at least one
case the hijacked machines are already launching distributed denial of service
attacks that flood victims with junk traffic, according to security
researchers.
The attack is simple enough that
it allows even unskilled hackers to easily piece together existing code to take
control of target machines, says Chris Wysopal, chief technology officer for
the web security firm Veracode. “People are pulling out their old bot kit
command and control software, and they can plug it right in with this new
vulnerability,” he says. “There’s not a lot of development time here. People
were compromising machines within an hour of yesterday’s announcement.”
Wysopal points to attackers who
are using a shellshock exploit to install a simple Perl program found on the open source code site GitHub. With that
program in place, a command and control server can send orders to the infected
target using the instant messaging protocol IRC, telling it to scan other
networked computers or flood them with attack traffic. “You install it on the
server that you’re able to get remote command execution on and now you can
control that machine,” says Wysopal.
The hackers behind another
widespread exploit using the Bash bug didn’t even bother to write their own
attack program. Instead, they rewrote a proof-of-concept script created by
security researcher Robert David Graham Wednesday that was designed to measure
the extent of the problem. Instead of merely causing infected machines to send
back a “ping” as in Graham’s script, however, the hackers’ rewrite instead
installed malware that gave them a backdoor into victim machines. The exploit code
politely includes a comment that reads “Thanks-Rob.”
The “Thanks-Rob” attack is more
than a demonstration. The compromised machines are lobbing distributed denial
of service attacks at three targets so far, according to researchers at
Kaspersky Labs, though they haven’t yet identified those targets. The researchers
at the Russian antivirus firm say they used a “honeypot” machine to examine the
malware, locate its command and control server and intercept the DDoS commands
it’s sending, but haven’t determined how many computers have already been
infected.
Based on his own scanning before
his tool’s code was repurposed by hackers, Graham estimates that thousands of
machines have been caught up in the botnet. But millions may be vulnerable, he
says. And the malware being installed on the target machines allows itself to
be updated from a command and control server, so that it could be changed to
scan for and infect other vulnerable machines, spreading far faster. Many in
the security community fear that sort of “worm” is the inevitable result of the
shellshock bug. “This is not simply a DDoS trojan,” says Kaspersky researcher
Roel Schouwenberg. “It’s a backdoor, and you can definitely turn it into a
worm.”
The only thing preventing hackers
from creating that worm, says Schouwenberg, may be their desire to keep their
attacks below the radar—too large of a botnet might attract unwanted attention
from the security community and law enforcement. “Attackers don’t always want
to make these things into worms, because the spread becomes uncontrollable,”
says Schouwenberg. “It generally makes more sense to ration this thing out
rather than use it to melt the internet.”
The Bash bug, first discovered by
security researcher Stéphane Chazelas and revealed Wednesday in an alert from the US Computer Emergency Readiness Team(CERT),
still doesn’t have a fully working patch. On Thursday Linux software maker Red
Hat warned that a patch initially released along with CERT’s alert can be circumvented.
But Kaspersky’s Schouwenberg
recommended that server administrators still implement the existing patch;
While it’s not a complete cure for the shellshock problem, he says it does
block the exploits he’s seen so far.
In the meantime, the security community is still bracing
for the shellshock exploit to evolve into a fully self-replicating worm that
would increase the volume of its infections exponentially. Veracode’s Chris
Wysopal says it’s only a matter of time. “There’s no reason someone couldn’t
modify this to scan for more bash bug servers and install itself,” Wysopal
says. “That’s definitely going to happen.”
Source : wired.com
No comments:
Post a Comment