Shellshock flaw hits Lycos and Winzip - but not Yahoo

Just when you thought the Shellshock vulnerability issue couldn't get any more complex, a "handful" of Yahoo's servers were apparently infected by malware at the start of the week.

Shellshock
Shellshock
Initially Yahoo confirmed Future South Technologies' analysis of the situation, where Jonathan Hall - the research firm's senior engineer and president - noting that Yahoo's systems were breached using the Shellshock bug.

In his analysis, Hall explained that Romanian hackers running scripts that form botnet swarms to stage DDoS attacks were to blame. Other sites compromised by the Shellshock vulnerability reportedly included Lycos and Winzip.

After a little more research, however, Yahoo changed its mind, blaming other malware variants instead.

As reported previously, Shellshock is a severe vulnerability in Bash, the open-source shell used as the default command-line interpreter on many operating systems including Linux, Unix and Apple's OS-X platform. The vulnerability allows attackers to execute code - using the same commands as a legitimate user, but without authentication.

According to Alex Stamos, Yahoo's CISO, after investigating the situation fully, it turns out that the servers were not affected by Shellshock.

"Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers. These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs," he said a statement emailed to the Hacker News newswire.

Regardless of Yahoo's analysis of the situation, it appears that - two weeks in - the Shellshock vulnerability issue isn't going to go away quickly.

According to security vendor Zscaler's research team, cyber-criminals are now enhancing their attack methodologies in order to increase the chances of a successful infection.

Over at AlienVault, security researcher Jaime Blasco has been doing his own research, launching a honeypot server to see how attackers are exploiting the problem. Along with the expected pings, Blasco says that he also saw two attackers using Shellshock to install two different pieces of malware.

Fellow AlienVault researcher Garrett Gross picked up on Blasco's analysis, noting that some people are saying that the Shellshock problem may be bigger than Heartbleed.
Page 1 of 2