Shellshock (Bash Bug) DDoS Botnet

Highlights from a State of the

Internet Threat Advisory

akamai.com

= what is shellshock (bash bug)?

Shellshock is a critical vulnerability in GNU Bash (Bourne

Again Shell)

Affects versions 1.03 - 4.3

Also called Bash bug

Malicious actors exploit the Bash bug vulnerability to

download and execute payloads on victim machines
Most Linux-based systems, Mac OS X and Cygwin are

vulnerable
Capable of launching DDoS attacks, stealing sensitive
information and breaching other systems
2 / [state of the internet] / threat advisory

= PLXsert observations about this threat

Akamais infrastructure was

tested by a DDoS Internet

relay chat (IRC) botnet
PLXsert recorded the IRC
conversation, providing
analysis of the Shellshock
Bash vulnerability and
botnet-building
More than 22,000 unique
attacking IP addresses
identified from 10 different
countries

3 / [state of the internet] / threat advisory

Global distribution of the botnet IP

addresses

= DDoS capabilities
Shellshock has several distributed denial of service
(DDoS) capabilities
The Perl scripts placed on the compromised hosts exhibit
DDoS functions, specifically UDP and TCP payloads
The UDP flood function consists of four flood payloads:

IGMP

UDP

ICMP

TCP (SYN)

4 / [state of the internet] / threat advisory

= a variety of industries have been targeted

Online gaming
Consumer electronics
Online email marketing
Travel
Online advertising
Online media streaming

Government
Software

5 / [state of the internet] / threat advisory

= how attackers use shellshock (bash bug)

Bash (Bourne Again Shell) is the shell, or command
language interpreter, for the GNU operating system
Web applications that use the Common Gateway Interface
(CGI) method to serve dynamic content are at risk for the
Bash bug
Some of the earlier patches failed to address the flaw in its
entirety, leading to additional patches
Fully patched, remote exploitation attempts of this type
will be unsuccessful

6 / [state of the internet] / threat advisory

= system hardening and vulnerability mitigation

Check internal and external web servers for this type of
application and others that may potentially pass input to
Bash
Update and patch vulnerable hosts as soon as possible

Mobile phones, embedded devices and desktops, laptops

and servers may be targeted; patch these devices
Upgrade to new version of Bash, replacing Bash with an

alternate shell, limit access or filter inputs to vulnerable

services

7 / [state of the internet] / threat advisory

= recommended DDoS mitigation

Akamai Web Application Firewall (WAF) protections are
available to assist customers of Kona Web Application
Firewall and Kona Site Defender services
The DDoS UDP and TCP flood can be mitigated with ACL
rules
Akamai customers have options to minimize the risk of a
breach and to mitigate DDoS attacks enabled by this
vulnerability

8 / [state of the internet] / threat advisory

= shellshock (bash bug) threat advisory

Threat Advisory: Shellshock (Bash Bug) DDoS
Botnet toolkit

Download the threat advisory, Shellshock (Bash Bug)

DDoS Botnet
This threat advisory includes:

Vulnerable Bash versions

Details of the attack on Akamais infrastructure
DDoS building capabilities of binary payloads
Types of DDoS attacks
IRC conversation from within the DDoS botnet
How to mitigate this vulnerability
Sources of UNIX and Linux vendor patch information
DDoS mitigation

9 / [state of the internet] / threat advisory

= about stateoftheinternet.com
StateoftheInternet.com, brought to you by Akamai, serves
as the home for content and information intended to
provide an informed view into online connectivity and
cybersecurity trends as well as related metrics, including
Internet connection speeds, broadband adoption, mobile
usage, outages, and cyber-attacks and threats.
Visitors to www.stateoftheinternet.com can find current
and archived versions of Akamais State of the Internet
(Connectivity and Security) reports, the companys data
visualizations, and other resources designed to put

context around the ever-changing Internet landscape.

10 / [state of the internet] / threat advisory