<img src="https://d5nxst8fruw4z.cloudfront.net/atrk.gif?account=5DiPo1IWhd1070" style="display:none" height="1" width="1" alt="" />

VIRUS DEFINITION

BashVirusInfo

Virus Type: Virus / Bug / Malware
Also called: CVE-2014-6271

What is the “Bash” Bug Virus?

The "bash bug,” also known as the Shellshock vulnerability, poses a serious threat to all users. The threat exploits the Bash system software common in Linux and Mac OS X systems in order to allow attackers to take potentially take control of electronic devices. An attacker can simply execute system level commands, with the same privileges as the affected services.

The flaw allows an attacker to remotely attach a malicious executable to a variable that is executed when Bash is invoked.

In most of the examples on the Internet right now, attackers are remotely attacking web servers hosting CGI scripts that have been written in bash.

At the time of writing, the vulnerability has already been used for malicious intentions – infecting vulnerable web servers with malware, and also in hacker attacks. Our researchers are constantly gathering new samples and indications of infections based on this vulnerability; and more information about this malware will be published soon.

The vulnerability lies in the bash shell interpreter and allows an attacker to append system level commands to the bash environment variables.

How the “Bash” Bug Works

When you have a CGI script on a web server, this script automatically reads certain environment variables, for example your IP address, your browser version, and information about the local system.

But just imagine that you could not only pass this normal system information to the CGI script, but could also tell the script to execute system level commands. This would mean that – without having any credentials to the webserver – as soon as you access the CGI script it would read your environment variables; and if these environment variables contain the exploit string, the script would also execute the command that you have specified.

What makes the bash bug unique

  1. It’s very easy to exploit
  2. The impact of the bash virus is very severe
  3. It affect any type of software that uses the bash interpreter

Researchers are also trying to figure out if other interpreters, such as PHP, JSP, Python or Perl, are also affected. Depending on how code is written, sometimes an interpreter actually uses bash to execute certain functions; and if this is the case, it might be that other interpreters could also be used to exploit the CVE-2014-6271 vulnerability.

The impact is incredibly high because there are a lot of embedded devices that use CGI scripts – for example routers, home appliances and wireless access points. They are also vulnerable and, in many cases, difficult to patch.

How to Tell if Your Device is Infected

The easiest way to check if your system is vulnerable is to open a bash-shell on your system and execute the following command:

BashVirusInfo

If the shell returns the string "vulnerable", you should update your system.

Red Hat includes links to a diagnostic step that would allow users to test for vulnerable versions of Bash – see https://access.redhat.com/articles/1200223

Another way to see if you’ve been infected by the Bash virus is to review your HTTP logs and check if there is anything suspicious. Following is an example of a malicious pattern:

BashVirusInfo | bash-virus-http-logs.gif

There are also some patches for bash that log every command that is being passed to the bash interpreter. This is a good way to see if someone has exploited your machine. It won’t prevent someone from exploiting this vulnerability, but it will log the attacker’s actions on the system.

How to Stop the “Bash” Bug Virus

The first thing that you need to do is to update your bash version. Different Linux distributions are offering patches for this vulnerability; and although not all patches have been proven to be really effective yet, patching is the first thing to do.

If you are using any IDS/IPS I would also recommend that you add/load a signature for this. Alot of public rules have been published.

Also review your webserver configuration. If there are any CGI scripts that you are not using, consider disabling them.