Instead, they rewrote a proof-of-concept script created by security researcher Robert David Graham Wednesday that was designed to measure the extent of the problem. The hackers behind another widespread exploit using the Bash bug didn't even bother to write their own attack program. "You install it on the server that you’re able to get remote command execution on and now you can control that machine," says Wysopal. ![]() With that program in place, a command and control server can send orders to the infected target using the instant messaging protocol IRC, telling it to scan other networked computers or flood them with attack traffic. Wysopal points to attackers who are using a shellshock exploit to install a simple Perl program found on the open source code site GitHub. People were compromising machines within an hour of yesterday's announcement." "There's not a lot of development time here. "People are pulling out their old bot kit command and control software, and they can plug it right in with this new vulnerability," he says. The attack is simple enough that it allows even unskilled hackers to easily piece together existing code to take control of target machines, says Chris Wysopal, chief technology officer for the web security firm Veracode. And in at least one case the hijacked machines are already launching distributed denial of service attacks that flood victims with junk traffic, according to security researchers. ![]() The shellshock attacks are being used to infect thousands of machines with malware designed to make them part of a botnet of computers that obey hackers' commands. With a bug as dangerous as the "shellshock" security vulnerability discovered yesterday, it takes less than 24 hours to go from proof-of-concept to pandemic.Īs of Thursday, multiple attacks were already taking advantage of that vulnerability, a long-standing but undiscovered bug in the Linux and Mac tool Bash that makes it possible for hackers to trick Web servers into running any commands that follow a carefully crafted series of characters in an HTTP request.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |