By Jim Finkle
BOSTON, Sept 25 Hackers have begun exploiting
the newly identified "Shellshock" computer bug, using
fast-moving worm viruses to scan for vulnerable systems and then
infect them, researchers warned on Thursday.
"Shellshock" is the first major Internet threat to emerge
since the discovery in April of "Heartbleed," which affected
OpenSSL encryption software that is used in about two-thirds of
all web servers, along with hundreds of technology products for
consumers and businesses.
The latest bug has been compared to "Heartbleed" partly
because the software at the heart of the "Shellshock" bug, known
as Bash, is also widely used in web servers and other types of
computer equipment.
The problem is unlikely to affect as many systems as
Heartbleed because not all computers running Bash can be
exploited, according to security experts. Still, they said
"Shellshock" has the potential to wreak more havoc because it
enables hackers to gain complete control of an infected machine,
which could allow hackers to destroy data, shut down networks or
launch attacks on websites, experts said.
The "Heartbleed" bug only allowed them to steal data.
The industry is rushing to determine which systems can be
remotely compromised by hackers, but there are currently no
estimates on the number of vulnerable systems.
"We don't actually know how widespread this is. This is
probably one of the most difficult-to-measure bugs that has come
along in years," said Dan Kaminsky, a well-known expert on
Internet threats.
For an attack to be successful, a targeted system must be
accessible via the Internet and also running a second vulnerable
set of code besides Bash, experts said.
"There is a lot of speculation out there as to what is
vulnerable, but we just don't have the answers," said Marc
Maiffret, chief technology officer of cybersecurity firm
BeyondTrust. "This is going to unfold over the coming weeks and
months."
ATTACKS ON DEVICES
Joe Hancock, a cybersecurity expert with insurer AEGIS in
London, said in a statement that he is concerned about the
potential for attacks on home broadband routers and controllers
used to manage critical infrastructure facilities.
"In some areas this will be a challenge to fix, as many
embedded devices are not designed with regular updates in mind
and will never be able to be patched," Hancock said.
HD Moore, chief research officer with security software
maker Rapid7, said it could take weeks or even months to
determine what impact the bug will have.
"At this point we don't know what we don't know, but we do
expect to see additional exploit vectors surface as vendors and
researchers start the assessment process for their products and
services," Moore said in an email. "We are likely to see
compromises as a result of this issue for years to come."
Linux makers released patches to protect against attacks on
Wednesday, though security researchers uncovered flaws in those
updates, prompting No. 1 Linux maker Red Hat Inc to
advise customers that the patch was "incomplete."
"That's a problem. It's been a little over 24 hours and
we're still in the same boat," said Mat Gangwer, lead security
consultant at Rook Security. "People are kind of freaking out.
Rightfully so."
WORMS
Russian security software maker Kaspersky Lab reported that
a computer worm has begun infecting computers by exploiting
"Shellshock."
The malicious software can take control of an infected
machine, launch denial-of-service attacks to disrupt websites,
and also scan for other vulnerable devices, including routers,
said Kaspersky researcher David Jacoby.
He said he did not know who was behind the attacks and could
not name any victims.
Jaime Blasco, labs director at AlienVault, said he had
uncovered the same piece of malware, as well as a second worm
seeking to exploit "Shellshock," which was designed for
launching denial of service attacks.
"Heartbleed" is a bug in an open-source encryption software
called OpenSSL. The bug put the data of millions of people at
risk, as OpenSSL is used in about two-thirds of all websites. It
also forced dozens of technology companies to issue security
patches for hundreds of products that use OpenSSL.
