{"id":15010,"date":"2014-09-26T17:04:11","date_gmt":"2014-09-26T17:04:11","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2656"},"modified":"2020-02-26T10:56:06","modified_gmt":"2020-02-26T15:56:06","slug":"bashbugshellshock-the-day-after","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/bashbugshellshock-the-day-after\/15010\/","title":{"rendered":"Bashbug\/Shellshock: the day after"},"content":{"rendered":"<p><i>Other\u00a0posts on BashBug\/Shellshock:<\/i><\/p>\n<ul>\n<ul>\n<li><a href=\"https:\/\/business.kaspersky.com\/when-the-bug-bashes-you\/2649\" target=\"_blank\" rel=\"noopener nofollow\">When the Bug Bashes you<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/shellshock-how-to-check-and-update-potentially-vulnerable-systems\/15011\/\" target=\"_blank\" rel=\"noopener nofollow\">Shellshock: how to check and update potentially vulnerable systems<\/a><\/li>\n<\/ul>\n<\/ul>\n<p>\u00a0<\/p>\n<p>A day has passed after yet another ghastly revelation of a new, or rather newly discovered bug in the Bourne again shell, present in almost all *nix-like systems, Mac OS X included. Just after the discovery there were a lot of arguments about whether or not it\u2019s Heartbleed 2.0.<\/p>\n<p>From how it looks, it is or could be even more dangerous. As Securelist <a href=\"https:\/\/securelist.com\/blog\/research\/66673\/bash-cve-2014-6271-vulnerability-qa-2\/\" target=\"_blank\" rel=\"noopener\">stated<\/a>, \u201cit\u2019s much easier for a cybercriminal to exploit than Heartbleed. Also, in the case of Heartbleed, a cybercriminal could only steal data from memory, hoping to find something interesting. By contrast, the bash vulnerability makes full system control much more possible. So it would seem to be more dangerous.\u201d<br>\n<\/p><blockquote class=\"twitter-pullquote\"><p>#Bashbug aka #Shellshock: the day after<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2Fpph5&amp;text=%23Bashbug+aka+%23Shellshock%3A+the+day+after\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>The ease of the exploitation ensured the abundance of <a href=\"https:\/\/github.com\/search?utf8=%E2%9C%20%93&amp;q=shellshock\" target=\"_blank\" rel=\"noopener nofollow\">proof-of-concepts<\/a> and working exploits. There are reports on a limited number of malicious attacks. Although the real damage is currently pretty vague, as early as hours after the disclosure hit the Web there were reports of someone using masscan to serve malware to the vulnerable servers.<\/p>\n<p>Robert Graham from Errata Security reported the bug to be \u201cwormable\u201d, and the worm indeed didn\u2019t take long to appear, with <a href=\"http:\/\/www.forbes.com\/sites\/richardstiennon\/2014\/09%20\/25\/shellshock-bug-in-bourne-shell-could-spawn-%20worm\/\" target=\"_blank\" rel=\"noopener nofollow\">\u201cthanks, Rob\u201d<\/a> in the comments in the code.<\/p>\n<p>Efforts to spread malware using the bug appear to have some degree of success: Italian security researchers reported that the Shellshock\/BashBug haave been busy <a href=\"http:\/\/www.itnews.com.au\/News\/396197,first-%20shellshock-botnet-attacks-akamai-us-dod-%20networks.aspx\" target=\"_blank\" rel=\"noopener nofollow\">building a botnet<\/a> running on Linux servers, codenamed wopbot. The botnet is effectively building itself further, according to the researchers, using the bug to auto-infect other servers.<\/p>\n<p>It\u2019s also been busy distributing a denial of service attack against Akamai, and massively scanning the United States\u2019 Department of Defense Internet Protocol address range on port 23 TCP or Telnet \u2013 according to our Italian colleagues, for brute force attack purposes.<\/p>\n<p>Fortunately, the C&amp;C server of the wopbot, located in UK, was taken down promptly. However, the \u201cbotmaster\u201d server for wopbot is in the US and it\u2019s still up and serving malware.<\/p>\n<p><\/p><blockquote class=\"twitter-pullquote\"><p>#realdamage: #shellshock has already built a #botnet<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2Fpph5&amp;text=%23realdamage%3A+%23shellshock+has+already+built+a+%23botnet\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote><br>\nIt\u2019s yet unknown how many servers have been infected already, but there are possibly millions of Apache webservers around the world that could be at risk, if their CGI scripts invoke Bash.\n<p>This is not limited to webservers.<\/p>\n<p>The worst problem is the one that cannot be fixed. In the case of Bashbug\/Shellshock it\u2019s related to multiple internet-of-things devices with their firmware fixed in place, without any possibility to upgrade or patch it. Some of them use Bash, and are thus vulnerable, and can be used for malicious purposes.<\/p>\n<p>There is also a problem with networked embedded devices that use CGI scripts \u2013 for example routers (home ones included, <a href=\"http:\/\/www.troyhunt.com\/2014\/09\/everything-you-need-to-know-about.html\" target=\"_blank\" rel=\"noopener nofollow\">according<\/a> to a Microsoft MVP, security expert Troy Hunt), home appliances and wireless access points. They are also vulnerable and, in many cases, difficult \u2013 if not impossible \u2013 to patch. And even if it is possible, routers, both those used at home and in businesses, are the sort of hardware that don\u2019t get upgraded often.<\/p>\n<p>With the weekend ahead, it is a good time to review the status of the networked and embedded devices within your networks, for security sake \u2013 i.e. to avoid serious and hard-to-solve problems in the future.<\/p>\n<p><i>Other\u00a0posts on BashBug\/Shellshock:<\/i><\/p>\n<ul>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/when-the-bug-bashes-you\/15009\/\" target=\"_blank\" rel=\"noopener nofollow\">When the Bug Bashes you<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/shellshock-how-to-check-and-update-potentially-vulnerable-systems\/15011\/\" target=\"_blank\" rel=\"noopener nofollow\">Shellshock: how to check and update potentially vulnerable systems<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>It&#8217;s been a day since the BashBug aka Shellshock bug was disclosed. What real damage has been inflicted and who is most in danger?<\/p>\n","protected":false},"author":209,"featured_media":15635,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[2195,838],"class_list":{"0":"post-15010","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-bashbug","10":"tag-shellshock"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/bashbugshellshock-the-day-after\/15010\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/bashbugshellshock-the-day-after\/15010\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/bashbugshellshock-the-day-after\/15010\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/bashbug\/","name":"bashbug"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15010","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=15010"}],"version-history":[{"count":6,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15010\/revisions"}],"predecessor-version":[{"id":33333,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15010\/revisions\/33333"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15635"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=15010"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=15010"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=15010"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}