Bored hackers flick Shellshock button to OFF as payloads shrink

But beware of complacency, warn Akamai bods

Malicious and benign attacks against systems vulnerable to Shellshock had halved by Sunday after peaking three days following the bug's disclosure, Akamai researchers say.

The variety of payloads targeting vulnerable sites increased dramatically over the same period before tapering off, in a possible sign that hackers were bored with the bug.

The number of unique payloads increased from 43 on day zero to a whopping 10,716 just 24 hours later. It peaked on 27 September at 20,753 before falling off.

The numbers demonstrated the effectiveness of Shellshock as an attack vector, researchers Ezra Caltum, Adi Ludmer and Ory Segal wrote in a co-authored post.

"One of the troubling aspects of the Shellshock vulnerability is the ease of exploitation, which can be seen by the dramatic increase in the number of unique payloads between the first and the second days," they said.

"The sheer number of creative payloads also demonstrates how effective and deadly this vulnerability can be – most of the scanning and exploitation process is already fully automated.

"With such a low barrier to entry, and the simplicity of writing powerful exploits, we believe that Shellshock-based attacks are going to stay around for months if not years, and will probably top the botnet infection method charts in the near future."

Two-thirds of the 22,487 unique attacking IP addresses were from the US, with Germany, Britain and seven other countries sharing the remainder.

Almost 300,000 gaming domains made up the vast majority of Shellshock targets, with consumer electronics, email marketing among the less affected industries.

More than half of all detected Shellshock probes however were illegitimate scans of the sort conducted in unpaid security research which did not involve exploitation, while about a third were legit.

Akamai found eight percent of payloads were attempts by internet idiots to exploit Shellshock to open CD trays, play audio files, and dump nonsensical payloads.

More malicious acts including Bitcoin and database stealers made up less than one percent of payloads. ®




Biting the hand that feeds IT © 1998–2018