Bash Shellshock Protection: Security from the Shellshock Bug | Sophos

Shellshock – What Is It?

Shellshock is a serious security bug in Bash, a "shell" commonly used in computers running Linux, UNIX and OS X. Shellshock could allow an attacker to execute malicious commands across the Internet on remote computers. Many web-facing servers run Linux and use Bash, so it is a widespread problem that needs fixing.

Need some help? To request a call back from one of our knowledgeable representatives, click here.

Bash Shellshock Attack InfographicWhat Causes the Shellshock Bug in Bash?

How Bash works

Bash works behind the scenes to execute commands using environment variables.

For example, if you search a website for the term "banana," that gets turned into a back-end script like this:

/usr/local/bin/searchfor --database=website.index \ --searchword=banana

That command might be launched by the server using Bash, which sets some helpful environment variables for the search, such as:

USER_AGENT
GET_REQUEST
HTTP_REFERER

However, you can also set environment variables that start with "()" and Bash will create a function out of it, providing Bash with some add-on code.

So:

$ FUNC="() { echo Banana; };" bash -c FUNC

... will print out:

Banana

What goes wrong

Because of the Shellshock flaw in the way Bash handles data requests, it can be tricked into running commands it shouldn’t.

An attacker can add some Bash commands onto the end of the auto-imported function, like the "Unexpected Banana" text here:

FUNC="() { echo Banana; }; echo Unexpected Banana;" bash -c FUNC

The second echo command should provoke an error, or at least be ignored, because it's not part of the function definition, which ends at the closing brace. But if your Bash is vulnerable to Shellshock, it keeps on going after the closing brace, sees the second echo command, and runs it right away, giving you the unexpected result:

Unexpected Banana
Banana

If the attacker's command is more sinister than an Unexpected Banana, you're in trouble.

What Is the Threat?

Cybercriminals are actively trying to exploit Shellshock to inject malicious commands, steal data, and compromise servers with malware.

You may hear these reported as "Shellshock viruses," but that's somewhat misleading. Some of this malware is already known to be associated with attacks other than Shellshock. Other samples might be re-used later with other exploits.

Shellshock-related malware blocked by Sophos includes:

Payloads prefixed with "Linux/" are distributed as Linux binaries (also known as programs or executables). Those with "Perl" or "PHP" in their names use the Perl and PHP scripting languages on the server respectively. The "OSX/" prefix signifies malware targeting Mac computers.

Many of these payloads "call home" to so-called Command-and-Control (C&C) servers in order to download further malware, or to fetch commands telling them what to do next. This malware could be used to create a botnet, which cybercriminals use to distribute zombie malware, or for turning the botnet into a weapon for launching distributed denial-of-service (DDoS) attacks on web servers.

The Advanced Threat Protection (ATP) feature in the Sophos UTM will block these call-home attempts, as well as producing a threat alert to draw attention to the malicious traffic.

What Can You Do?

Many servers and server processes don't watch out for Shellshock, so they need to be patched as soon as Linux vendors can issue security fixes to their products.

Listen to our podcast, and check out our expert articles for more information:

Watch a Video

Download the Infographic

Sophos Protection

Sophos products protect against Shellshock attacks in several ways:

How to Get Help

Sophos is powered by great people who work around the clock to keep you safe, from our threat intelligence experts at SophosLabs, to our support and sales teams.

To request a call back from one of our knowledgeable representatives, click the button below.

Request a Call Back