Search Blog for

28 (and Some) Days Later: Shellshock Scanners Still Roaming Around

On September 24th a security researcher disclosed a serious vulnerability in Bash (a.k.a., Bourne-Again Shell) that affects many Linux and Unix systems (CVE-2014-6271/CVE-2014-7169). The vulnerability became known as Shellshock and, as ‘mega vulnerabilities’ go, it was possibly the worst of the bunch.

Shortly after the initial disclosure, Incapsula’s Web Application Firewall began blocking large number of Shellshock attacks on our protected domains.

Some of these (~6%) were legitimate scanning tools used by concerned internet citizens. However, the remainders were malicious, hitting our web application firewall at a rate of 1,970 attempts per hour.

Shellshock attack attempts - last 4 days

Shellshock attack, then| Hi-res image

None of these were able to pass through Incapsula’s security defenses. Still, the sheer tenacity of these attempts revealed the overall scope of this zero-day threat. In reviewing the data for Incapsula-protected domains, we couldn’t help but ask ourselves-how are others being affected?

Now, thirty some odd days later, we would like to provide another Shellshock-related update.

Shellshock Today

As any security researcher will tell you, zero-days never die young. The reason is simple. Even when rapidly released, official patches are only useful for containment. Left unattended, some resources will remain vulnerable.

These might be some old WP templates using an older version of TimThumb or, in the case of Shellshock, a home router having an outdated Linux installation. One way or another, there are always stragglers for attackers to prey on.

Today, more than thirty days after Shellshock was officially disclosed, there are still plenty of them roaming around.

Shellshock attack attempts - last 4 days

and now | Hi-res image

Just in the last 14 days Incapsula has seen over 630,000 Shellshock attempts from over 15,000 offending IPs. Few were legitimate scanners, with 95% clearly being malicious requests.

Comparing these data to earlier attack patterns paints an interesting picture:

Attack Rate Offending IPs
Zero-Day 1,700+/hour 400+
Four Days Later 1,900+/hour 890+
Thirty Days Later 1,800+/hour 15,000+

What immediately stands out is the massive 1,600+% increase in the number of offending IPs that in the last month. Note that, even with this increase, the average attack rate has remained almost the same.

To us these numbers mean one thing: Shellshock is now officially mainstream. The earlier data might suggest a few dozen hackers attacking at a very high rate from a few hundred hijacked devices.

The current number of offending IPs, however, points to much larger group of perpetrators who are now systematically scanning for vulnerable Linux and Unix devices.

This behavior should be considered much more alarming than all of the buzz-driven interest Shellshock initially generated in the hacker community.

Specifically, it should raise a red flag for all those who still operate potentially vulnerable devices.

The media may have moved on, but the hackers haven’t. Shellshock remains an extremely dangerous vulnerability, having the ability to cause direct damage to unprotected devices, in addition to downstream collateral damage to others (e.g., as the result of a subsequent DDoS botnet attack).

We advise all network operators, home users, and website owners to remain vigilant. Shellshock is here to stay and if you haven’t yet done it already, go ahead and patch that home router.