First Shellshock malware emerges just a day after vulnerability revealed [updated]

Two worms designed to exploit the Shellshock vulnerability in the Bash shell have been discovered by researchers just a day after it was made public

Security vendor Kaspersky Lab has reported that a computer worm has already begun infecting machines by exploiting Shellshock, the recently discovered vulnerability in the Bash scripting shell deployed on most Unix, Linux and Mac machines - including the majority of web servers around the world that are the key component of the internet.

Kaspersky researcher David Jacoby told Reuters that the malicious software can take control of an infected machine, launch denial-of-service attacks to disrupt websites, and also scan for other vulnerable devices, including routers.

Meanwhile Jaime Blasco, labs director at security researcher AlienVault, said that this same malware had also been trapped by his firm's 'honeypots' (systems designed to catch malware so it can be analysed). He also revealed a second worm designed for launching denial of service attacks.

"With the honeypot, we found several machines trying to exploit the Bash vulnerability," Blasco said.

"The majority of them are only probing to check if systems are vulnerable. On the other hand, we found two worms that are actively exploiting the vulnerability and installing a piece of malware on the system. This malware turns the systems into bots that connect to a C&C server where the attackers can send commands, and we have seen the main purpose of the bots is to perform distributed denial of service attacks."

It is not yet known who created the malware or what its exact purpose is.

On his website security expert Brian Krebs publishes a simple test for users to check if their Unix, Linux or Mac machines are vulnerable, as issued by The US-CERT's advisory. Open a Bash terminal, it advises, and paste in the following command line:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:

vulnerable
this is a test

If not, it will be the following:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Krebs advises that while Linux and Unix vendors have already released patches for the Shellshock vulnerability, there is none available for Apple machines as yet. Many devices that run Linux are specialised or embedded systems and even with patches being made available it is likely to be a long while before they are upgraded.

Unlike the earlier Heartbleed SSL vulnerability, which allows attackers to read the contents of a web server, Shellshock potentially allows them to take over the vulnerable system, which in theory at least could make it even more dangerous.

Update

Apple has since responded, saying it is working to provide a software update for the OS X operating system.

"The vast majority of OS X users are not at risk to recently reported bash vulnerabilities," an Apple spokesperson told iMore.

"With OS X, systems are safe by default and not exposed to remote exploits of Bash unless users configure advanced Unix services. We are working to quickly provide a software update for our advanced Unix users."