Article Lead Image

Meet Shellshock, the new major security threat to the Internet

This is bad. Really bad.


Dell Cameron


Posted on Sep 25, 2014   Updated on May 30, 2021, 12:47 pm CDT

Hackers have begun creating malicious programs to take advantage of a major new cybersecurity bug discovered this week.

The so-called “Shellshock” bug is already being compared, in terms of the threat it presents, to the Heartbleed vulnerability discovered earlier this year in the OpenSSL cryptographic software library, which is used to encrypt Web traffic.

Discovered by Akamai security researcher Stephane Chazelas in Bash (Bourne-Again Shell), Shellshock primarily leaves Linux and Mac OS X machines at risk. Bash is a command-line interpreter, known commonly as the “terminal” on Mac OS X—it allows users to run programs by typing commands in text, rather than by clicking an icon, among other functions. Shellshock reportedly compromises all versions of Bash up to and including version 4.3. 

According to the U.S. government National Vulnerability Database (NVD), Shellshock is highly exploitable (ranked 10/10), does not require attackers to bypass any logins, and can be used to steal information or disrupt affected systems. Apache Web servers are said to be at the most risk due to the high number of processes that rely on Bash, while individuals using Debian-derived systems running Dash, such as the popular Linux distribution Ubuntu, are thought not to be vulnerable.

Here’s programmer and comedian Tom Scott explaining Shellshock as simply as one can:

The first report of Shellshock being exploited “in the wild” was documented by security researcher Yinette. The malware was documented as “CVE-2014-6271.” Numerous other reports have been made showing similar malware in use. Shit is real now. First in-wild attack to hit my sensors CVE-2014-6271 #shellshock #bash ping @MalwareMustDie

— Yinette (@yinettesys) September 25, 2014

Holy cow there are a lot of .mil and .gov sites that are going to get owned by CVE-2014-6271.

— Kenn White (@kennwhite) September 24, 2014

As reported by ZDNet, security researcher Robert Graham conducted a light scan this morning, and discovered at least 3,000 systems vulnerable to the bug. Graham notes that Shellshock is “wormable,” meaning it can infect other parts of a network once its made its way inside. He writes:

“Consequently, even though my light scan found only 3,000 results, this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable—once the worm gets behind a firewall and runs a hostile DHCP server, that would ‘game over’ for large networks.”

Researchers analyzing malware said to be exploiting the Shellshock bug have found a variety of functions, which may attempt to steal key user passcodes, or even convert the infected systems into IRC bots used to launch distributed-denial-of-service (DDoS) attacks. 

The biggest threat posed by Shellshock right now is that it’s old—really old. That means, unlike Heartbleed, which affected only a specific version of OpenSSL, malware exploiting the bug will find no shortage of targets. 

Thankfully, the Linux community has already began releasing patches for Shellshock, which coders say should partially deal with potential attacks. A statement from open-source software company Red Hat advises users to implement the newest version of Bash, which includes an incomplete patch for Shellshock. 

“We are working on patches in conjunction with the upstream developers as a critical priority,” the company said. 

At the moment, it’s a race between companies working to patch the bug and malicious hackers hoping to take advantage of it. It is not currently clear what risks average Web users face. The Daily Dot will report on more fixes for Shellshock, as they become available.

H/T ZDNet | Illustration by Fernando Alfonso III

Share this article
*First Published: Sep 25, 2014, 3:42 pm CDT