Tens of Thousands of IPs still Vulnerable to New Shellshock Worm

Security researchers have identified a new malicious operation that can enchain hosts helpless against the Shellshock bash bug. It is the default command shell that can be located in various Linux and Unix systems.

Shellshock vulnerability was discovered in late September 2014, and is a serious threat because it lets an attacker to perform arbitrary commands in Bash simply by attaching them after a variable function.

Shell is used in various services that are web-oriented like web servers. It affects the service that makes the security defect an important and impactful one. The Shell is no less than Heartbleed in impact.


Although extensive media coverage has been done and patches are also available but still the Shellshock fix hasn’t been implemented by all administrators because of which their machines are vulnerable to cybercrimes.

Threat attackers were able to compromise vulnerable machines in mid-November 2014 and in December, their focus turned to QNAP NAS) network attached storage) devices. This allowed them access to the devices that weren’t patched.

Apparently, cybercriminals are now at it again since Volexity security researchers observed an intense increase in the breadth and frequency of searches for web devices vulnerable to Shellshock exploits.

On Wednesday, experts observed that the malware is equipped with script that contains list of around 26,356 IP addresses that are utilized for scanning purposes with an ELF scanning binary.

Volexity’s Steven Adair in a blogpost wrote that:

“Based on the contents of the file, it appears to be a modified version of a file called mass.c referenced as sslvuln.c that was found on a Romanian website.”

It is being speculated that Romanian attackers probably are responsible for modifying the malware components because a string in the binary that says “Nu Pot Deschide%” (can’t open it) confirms it.

When a vulnerable machine is identified it is infected and added to the scanning database. This database is actually a list of those scanned hosts that were identified as vulnerable and also those that already have been infected.

According to Adair, the most dependable pointer of malicious activity is outbound connectivity with IP address. This address hosts a TAR archive along with necessary scripts for detecting and infecting vulnerable machines.

Updating his original post, Adair stated that the malicious files no longer are stored at the aforementioned IP address and that hackers have significantly toned down their scanning operations.

Related Posts