Web attacks build on Shellshock bug Published duration 26 September 2014

media caption Liam O'Murchu, Symantec: "US government has rated this 10 out of 10 from severity point of view"

A series of attacks on websites and servers using the serious Shellshock bug has been spotted.

Millions of servers use software vulnerable to the bug, which lets attackers run commands on that system.

So far, thousands of servers have been compromised via Shellshock and some have been used to bombard web firms with data, said experts.

The number of attacks and compromises was likely to grow as the code used to exploit the bug was shared.

The Shellshock bug was discovered in a tool known as Bash that is widely used by the Unix operating system and many of its variants, including Linux open source software and Apple's OSX.

Apple said it was working on a fix for its operating system and added that most users would not be at risk from Shellshock.

Attackers have been spotted creating networks of compromised machines, known as botnets, that were then put to other uses.

Honeypots

One group used their Shellshock botnet to bombard machines run by Akamai with huge amounts of junk data to try to knock them offline. Another group used its botnet to scan for more machines that are vulnerable.

Evidence of the scanning and attacks came from honeypots run by security companies. These are computers that have been set up to look vulnerable but which catch information about attackers.

Jaime Blasco, a researcher at security firm AlienVault, said its honeypot had seen scans and attacks that used Shellshock. The scans simply informed attackers that a server was vulnerable, he wrote, but others attempted to install malware to put that machine under an attacker's control.

The control that Shellshock gave to attackers made it potentially more of a problem than the serious Heartbleed bug discovered in April this yea r, said security researcher Kasper Lindegaard from Secunia.

"Heartbleed only enabled hackers to extract information," he told tech news site The Register . "Bash enables hackers to execute commands to take over your servers and systems."

The seriousness of the bug has also led governments to act quickly. The UK government said its cybersecurity response team had issued an alert to its agencies and departments giving Shellshock the "highest possible threat ratings".

It had this rating, said the alert, because vulnerable systems would "inevitably" include machines that formed part of the UK's critical national infrastructure.

The US and Canada are believed to have issued similar alerts and told technology staff to patch systems as quickly as possible. Amazon, Google, Akamai and many other tech firms have also issued advisories to customers about the bug.

As well as software patches for vulnerable systems, security firms and researchers are also producing signatures and filter lists to help spot attacks based around it.

Early reports suggest up to 500 million machines could be vulnerable to Shellshock but, wrote Jen Ellis from security firm Rapid7 , this figure was now being revised downwards because of the "number of factors that need to be in play for a target to be susceptible".

"This bug is going to affect an unknowable number of products and systems, but the conditions to exploit it are fairly uncommon for remote exploitation," said Ms Ellis.

Marc Maiffret, chief technology officer at security firm BeyondTrust, expressed a similar view.

"There is a lot of speculation out there as to what is vulnerable, but we just don't have the answers," he said. "This is going to unfold over the coming weeks and months."