Shellshock flaw hits Lycos and Winzip - but not Yahoo

News by Steve Gold

Just when you thought the Shellshock vulnerability issue couldn't get any more complex, a "handful" of Yahoo's servers were apparently infected by malware at the start of the week.

Initially Yahoo confirmed Future South Technologies' analysis of the situation, where Jonathan Hall - the research firm's senior engineer and president - noting that Yahoo's systems were breached using the Shellshock bug.

In his analysis, Hall explained that Romanian hackers running scripts that form botnet swarms to stage DDoS attacks were to blame. Other sites compromised by the Shellshock vulnerability reportedly included Lycos and Winzip.

After a little more research, however, Yahoo changed its mind, blaming other malware variants instead.

As reported previously, Shellshock is a severe vulnerability in Bash, the open-source shell used as the default command-line interpreter on many operating systems including Linux, Unix and Apple's OS-X platform. The vulnerability allows attackers to execute code - using the same commands as a legitimate user, but without authentication.

According to Alex Stamos, Yahoo's CISO, after investigating the situation fully, it turns out that the servers were not affected by Shellshock.

"Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers. These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs," he said a statement emailed to the Hacker News newswire.

Regardless of Yahoo's analysis of the situation, it appears that - two weeks in - the Shellshock vulnerability issue isn't going to go away quickly.

According to security vendor Zscaler's research team, cyber-criminals are now enhancing their attack methodologies in order to increase the chances of a successful infection.

Over at AlienVault, security researcher Jaime Blasco has been doing his own research, launching a honeypot server to see how attackers are exploiting the problem. Along with the expected pings, Blasco says that he also saw two attackers using Shellshock to install two different pieces of malware.

Fellow AlienVault researcher Garrett Gross picked up on Blasco's analysis, noting that some people are saying that the Shellshock problem may be bigger than Heartbleed.  "This exploit definitely could have greater consequences than Heartbleed since it allows remote access to a system. Heartbleed, you may remember, was able to steal small amounts of data by causing a dump of some of the contents in a server's memory," he said.

"However, one similarity with Heartbleed is that the bash vulnerability shows us that, although millions of systems depend on this software, very few users or vendors are conducting thorough testing. This vulnerability has been around for 20 years, but has been undetected until now," he explained.

Gross recommends that users should now be looking for an alternative to Bash, but in the meantime, they should disable any CGI that calls on the shell.

The real fix, he says, will centre on the patching of bash itself - either from the developers of the distribution you use, or via users' own compiled code.


According to Richard Cassidy, a senior solutions architect with Alert Logic, this latest evolution in the Shellshock saga is very interesting indeed.

"There really shouldn't have been any doubt as to the scale of the problem with respect of the `bash' vulnerability from outset. It affects an implementation of `bash' that has been deployed for a considerable number of years," he said.

"We've always known that Internet facing services were at bigger risk and that businesses, service providers and cloud providers needed to implement a `remediation' strategy with immediate effect. The challenge is that we are still recovering from the aftermath of the Heartbleed and organisations are struggling to complete their remediation plans for that vulnerability," he added.

Cassidy went on to say that he has said before that we are talking about a specific set of variables needing to be in place for this exploit to be successful and that is still the case, so the Shellshock issue is not going to be the staple of the `script-kiddie' groups in the wild, but those who fully understand `bash' and its uses will be in a position to create some headache for vulnerable organisations.

"There is still a great deal of testing to be done on the variations in arbitrary commands that will be effective in the bash exploit, not least how services that use bash can be affected to gain access to systems and user personal data. For that reason bash is still a great threat to organisations and users. 

"Even where systems have been patched, there needs to be great deal of audit and analysis of systems that were affected, to ensure any potentially exploited systems are clear. This again highlights the need for greater visibility at the systems, networks and application level - you can't audit or control what you can't see," he explained.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews