As of this writing it is believed that web hosting services were probably the first round of systems attacked so that the botnet could spread from there. In many webhost servers the send mail function is wide open to attack and can be compromised unless the end user (site owner) locks it down for their site. This still leave the core SMTP relays open unless they are patched against Shellshock based attacks either at the OS level or at the perimeter (firewall etc). For most hosts adding in extra firewall protection for the sites they run is an expensive proposition while patching servers against Bash is a very time consuming option.
Either path leaves systems open until the whole project is complete. This gives the “bad guys” a rather large window in which to execute their attacks and spread. Sadly most organizations are not able to rapidly execute remediation faster than the bad guys can attack. It means that more has to be done on the front end to prevent exploitation of even known bugs (which means even more money). Shellshock is only getting started and when you consider how widespread the vulnerability we can expect to hear about many more large scale attack before everyone catches up and gets the holes plugged. Even then you can bet that some companies will not bother leaving vulnerable systems scattered all over the internet, just like Heartbleed…
