Bad boy builds beastly Bash bug botnet, boxen battered

Mere hours after its discovery, the Shell Shock Bash vulnerability was exploited by an attacker to build a botnet.

The bot was discovered by researcher known as Yinette, who reported it on her Github account and said it appeared to be remotely controlled by miscreants.

Rapid 7 researcher Jen Ellis noted in a blog the discovery of the distributed denial of service bot, and described the Shellshock bug in detail.

"The vulnerability looks pretty awful at first glance, but most systems with Bash installed will NOT be remotely exploitable as a result of this issue," Ellis said.

"In order to exploit this flaw, an attacker would need the ability to send a malicious environment variable to a program interacting with the network and this program would have to be implemented in Bash, or spawn a sub-command using Bash.

"The most commonly exposed vector is likely going to be legacy web applications that use the standard CGI implementation. On multi-user systems, setuid applications that spawn 'safe' commands on behalf of the user may also be subverted using this flaw."

Attackers that could achieve exploitation would gain the ability to execute arbitrary commands at the same privilege level as the affected process, she said.

@bcrypt @yinettesys @djon3s @MalwareMustDie well, crap, that several thousand machines somebody just added to their botnet

— Robert Graham (@ErrataRob) September 25, 2014

Ellis like other security researchers said there was not enough detail yet available to determine the scope of the impact, but the discovery of a botnet hours after news of Shell Shock broke was a concerning sign.

Well, that was fast. Already an IRC bot in the wild using the bash bug: https://t.co/ODYmtnVfTN

— HD Moore (@hdmoore) September 25, 2014

She said the simplest action was to roll out Bash patches as soon as they were released including any partial fixes, and to stuff end-of-life wares behind secure firewalls.

News of the bot comes as a fix released by Red Hat was found to be incomplete – although people are urged to apply the patch to thwart most attacks on at-risk systems, another patch is expected soon to close up the hole for good.

Red Hat security engineer Huzaifa Sidhpurwala said Red Hat became aware of the problem with the initial fix, an issue that was also raised by infosec bods on Twitter.

"Red Hat has become aware that the patches shipped for this issue are incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions," Sidhpurwala said, noting details of a workaround.

Metasploit punters could obtain the module released yesterday to detect vulnerability to Shell Shock for both the free and paid versions of the software. ®