Why Shellshock is worse than Heartbleed

Submitted by on

By John Zorabedian

Shellshock, a serious vulnerability in Bash affecting Linux, UNIX and OS X computers, is making life difficult for IT admins, as vendors rush out patches to stay ahead of the cybercriminals trying to exploit this bug.

Like the Heartbleed bug in OpenSSL, Shellshock has a nasty-sounding name, far-reaching impact, and major consequences for security. Yet Shellshock is worse than Heartbleed in one important way — it could allow an attacker to take complete control of vulnerable machines and IoE devices.

That’s not to take away from Heartbleed, or to overstate the dangers of Shellshock.

Recently it’s been reported that attackers were attempting to exploit Shellshock to compromise Yahoo servers. Although three Yahoo servers were compromised, in the end the crooks weren’t able to break in via Shellshock and ended up using other vulnerabilities to do their work.

And yet it goes to show that cybercriminals are actively trying to exploit Shellshock to inject malicious commands, steal data, and compromise servers with malware.

Some of this malware is already known to be associated with attacks other than Shellshock. Other samples might be re-used later with other exploits. Shellshock-related malware blocked by Sophos includes:

  • Mal/PerlBot-A
  • Linux/Wopbot-A
  • Troj/PerlShl-A
  • Linux/Tsunami-A
  • Troj/PHPFlood-A
  • Linux/Bdoor-BGG
  • OSX/Tsunami-Gen

Many of these payloads "call home" to so-called Command-and-Control (C&C) servers in order to download further malware, or to fetch commands telling them what to do next. This malware could be used to create a botnet, which cybercriminals use to distribute zombie malware, or for turning the botnet into a weapon for launching distributed denial-of-service (DDoS) attacks on web servers.

infographic

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

For more information about Shellshock, and how you can stay safe, check out these articles from Sophos experts: