Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Shellshock Botnet Attacking Akamai, US DoD Networks

Posted by samzenpus on from the that-didn't-take-very-long dept.

Bismillah writes The Bash "Shellshock" bug is being used to spread malware to create a botnet, that's active and attacking Akamai and Department of Defense networks. "The 'wopbot' botnet is active and scanning the internet for vulnerable systems, including at the United States Department of Defence, chief executive of Italian security consultancy Tiger Security, Emanuele Gentili, told iTnews. 'We have found a botnet that runs on Linux servers, named “wopbot", that uses the Bash Shellshock bug to auto-infect other servers,' Gentili said."

6 of 236 comments (clear)

  1. its on ! by johnjones · · Score: 4, Interesting

    no venerability should be without a logo :

      https://twitter.com/johnjonesname

  2. Bash needs to remove env-based procedure passing by m.dillon · · Score: 4, Interesting

    It's that simple. Even with the patches, bash is still running the contents of environment variables through its general command parser in order to parse the procedure. That's ridiculously dangerous... the command parser was never designed to be secure in that fashion. The parsing of env variables through the command parser to pass sh procedures OR FOR ANY OTHER REASON should be removed from bash outright. Period. End of story. Light a fire under the authors someone. It was stupid to use env variables for exec-crossing parameters in the first place. No other shell does it that I know of.

    This is a major attack vector against linux. BSD systems tend to use bash only as an add-on, but even BSD systems could wind up being vulnerable due to third party internet-facing utilities / packages which hard-code the use of bash.

    -Matt

  3. Amazing... by Anonymous Coward · · Score: 2, Interesting

    ... how the indignation at a major vulnerability like this (2nd in a few months) is so muted when the OS in question doesn't come from Microsoft.

    1. Re:Amazing... by Spy+Handler · · Score: 1, Interesting

      Windows users generally don't have a chip on their shoulder.

      Linux users generally hate Windows a lot more than Windows users hate Linux.

    2. Re:Amazing... by ray-auch · · Score: 4, Interesting

      1. the first fixes, within 24 hours of announcement, didn't actually fix it fully - in fact I suspect it will still be exploitable in some way or other until the "feature" of treating environment variables as code is removed completely
      2. providing an incomplete fix may be worse than taking a bit longer to properly QA the fix - a lot of admins may believe they have patched this based on the first announced vulnerability tests and the first set of patches, but in fact they are still vulnerable with a trivial change in the malicious bash code
      3. it was less than 24 hours after first being made public - this may be entirely unrelated to when it was first found

      We have no idea who found it first or for how long it may have been used covertly (did NSA etc. know of heartbleed before public knowledge ?)
      We don't know what prompted someone to be looking for problems in code that hasn't changed for 20+ yrs.
      It is so trivial to get remote code run with this bug (no unexpected new process or login or errors) that I doubt it will trip any intrusion detection systems.
      If you can use an http header that isn't logged, then you could run code on the server and extract information and it may be completely undetectable.

      Something else we don't know is how the FBI really got the Silk Road server to cough its real IP address. The FBI claim they put "miscellaneous characters" into the login form and it just happened to send the address back. You can believe that if you want. It may or may not be related (I have no idea about the silk road server setup), but a handful of days after the FBI put their story out someone is looking for security holes / bugs in very old bash code. Maybe there was no trigger and they just happened to get bored one day and decide that looking for bugs in bash would be fun. Or maybe there is more behind this than we know.

  4. Re: Only the beginning by peppepz · · Score: 3, Interesting

    Debian doesn't. Ubuntu doesn't. Anything embedded doesn't. OSX does. There's nothing to "laugh at Linux" for, because even leaving aside the fact, as huge as a house, that this is not a bug of Linux, we must take into account that Bash isn't used on all Linux distributions, is used on many non-Linux unices, and can be installed on non-Unix systems where it'll see environment variables too. I also register with amusement the fact that OSX gets pulled by the coat into the BSD family when it's time to calculate market share, but is carefully set aside now that the distinction is convenient.