DecryptedTech

Friday19 August 2022

Shellshock used to spread botnet through SMTP


Reading time is around minutes.

There appear to be developments in the way that Shellshock is used to push malware around. According to new information the Bash Bug is now being used to send malware out through the use of compromised SMTP gateways. The clever attackers are trying to use altered headers (from, to, subject) to force the SMTP gateway to pull down additional code that contains the Shellshock attack.

As of this writing it is believed that web hosting services were probably the first round of systems attacked so that the botnet could spread from there. In many webhost servers the send mail function is wide open to attack and can be compromised unless the end user (site owner) locks it down for their site. This still leave the core SMTP relays open unless they are patched against Shellshock based attacks either at the OS level or at the perimeter (firewall etc). For most hosts adding in extra firewall protection for the sites they run is an expensive proposition while patching servers against Bash is a very time consuming option.

Either path leaves systems open until the whole project is complete. This gives the “bad guys” a rather large window in which to execute their attacks and spread. Sadly most organizations are not able to rapidly execute remediation faster than the bad guys can attack. It means that more has to be done on the front end to prevent exploitation of even known bugs (which means even more money). Shellshock is only getting started and when you consider how widespread the vulnerability we can expect to hear about many more large scale attack before everyone catches up and gets the holes plugged. Even then you can bet that some companies will not bother leaving vulnerable systems scattered all over the internet, just like Heartbleed…

Your thoughts?

Last modified on Tuesday, 28 October 2014 14:00

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.