Author Topic: Shellshock OSX10.8.3 (Read 6807 times)

REDACTED · « **on:** September 27, 2014, 01:48:25 AM »

I stopped a worm (force quit!) a few days ago after I became suspicious of how my computer was acting. I took a few preventive measures but I'm very suspicious still.

I opened terminal and typed:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
and the answer allegedly shows vulnerability.

I read some articles but most are written by journalists and not software people.
Avast did not catch the worm which is OK because it is free. I did not expect miracles and it is a small part in my line of defenses.
Any suggestions other than waiting for Apple to move. My guess is that it entered through Firefox (latest version).

REDACTED · « **Reply #1 on:** September 27, 2014, 02:33:33 AM »

Just another guess on how the worm entered. I was searching Google shopping and an ebay buy it now fake page was displayed. The Avast rep did not catch it. I tried to buy the product (stupid because the price was to good to be true 20% lower than usual). The transaction bounced but the hackers have my ebay, paypal and possibly my bank account info.
Pain in the neck!

specimen9999 · « **Reply #2 on:** September 27, 2014, 05:07:14 AM »

Where to start...

First, I'm sorry that you got your accounts breached, if that's the case.

Now, let's start with Shellshock, you ran a piece of code in the terminal that only serves to prove that the bash version you are running is vulnerable to the Shellshock vulnerability.
Currently, all OS X versions actually have that vulnerability, if anyone running OSX runs that command they will get the same result.

This vuln. is dangerous mostly for servers, and in some special cases for clients too, the case you described could have not trigger the vulnerability, actually it would be the other way around, you could have, via a crafted HTTP request triggered the vuln. In the server.

What I mean is, all this talk about Shellshock is actually irrelevant for your situation, because you weren't attacked via Shellshock.

Now, worms, worms are a specific kind of malware that spreads using vulnerabilities in a network, Shellshock could be used, but in that case it would be from Webserver to Webserver. So no, your case is also not a worm.

What you describe seems more like phishing, a rogue site posing to be another in order to steal your info and credentials. There's no malware involved in such cases, only social engineering, as such Avast! AV, or any other AV, free or not can't do much about it.

However, the most important facts are lefted out, which are, what was the behaviour that you considered suspicious? What 'preventive measures' did you took? And how do you know that they got your info? As in, what facts lead you to conclude that?

Asyn · « **Reply #3 on:** September 27, 2014, 05:07:37 AM »

-> http://blog.avast.com/2014/09/26/what-is-the-bash-bug-and-how-do-i-prevent-my-systems-from-being-shellshocked/

If you’ve got Mac machines in your environment that can be exploited, you can disable the exploit by temporarily changing the default user shell. For IT administrators that have the know-how, get started right away – but for those that have to ask “how?,” it’s best to keep your eyes peeled and wait for an official update from Apple.

specimen9999 · « **Reply #4 on:** September 27, 2014, 05:16:02 AM »

Quote from: Asyn on September 27, 2014, 05:07:37 AM

-> http://blog.avast.com/2014/09/26/what-is-the-bash-bug-and-how-do-i-prevent-my-systems-from-being-shellshocked/

If you’ve got Mac machines in your environment that can be exploited, you can disable the exploit by temporarily changing the default user shell. For IT administrators that have the know-how, get started right away – but for those that have to ask “how?,” it’s best to keep your eyes peeled and wait for an official update from Apple.

That article, although very informative has some inaccuracies, for instance they have a paragraph about routers, actually most home routers aren't vulnerable as many other embedded devices, because they normally use Busybox for their gnu tools (where bash is included), Busybox packs all these tools in a much smaller footprint, also, Busybox happens to not be vulnerable to Shellshock.

Also this part is absolutely wrong:

Quote

If you see nothing but “this is a test,” you’ve successfully run the exploit, and you’ve got some work to do.

It's the other way around, if you see 'vulnerable' AND 'this is a test' that's when you know you are vulnerable.

Further down, when referring to macs it uses the word INFECTED, when. Ir should say AFFECTED, this completely changes the meaning!

Asyn · « **Reply #5 on:** September 27, 2014, 05:21:29 AM »

Quote from: specimen9999 on September 27, 2014, 05:16:02 AM

That article, although very informative has some inaccuracies...

I suggest to leave a comment on the blog.

specimen9999 · « **Reply #6 on:** September 27, 2014, 05:35:02 AM »

Quote from: Asyn on September 27, 2014, 05:21:29 AM

Quote from: specimen9999 on September 27, 2014, 05:16:02 AM
That article, although very informative has some inaccuracies...
I suggest to leave a comment on the blog.

Done!

Asyn · « **Reply #7 on:** September 30, 2014, 10:20:00 AM »

OS X bash Update 1.0
http://support.apple.com/kb/DL1767
http://support.apple.com/kb/DL1768
http://support.apple.com/kb/DL1769

specimen9999 · « **Reply #8 on:** September 30, 2014, 02:04:36 PM »

Quote from: Asyn on September 30, 2014, 10:20:00 AM

OS X bash Update 1.0
http://support.apple.com/kb/DL1767
http://support.apple.com/kb/DL1768
http://support.apple.com/kb/DL1769

Yes, thank you, and it's being pushed via Software Update. However, I feel I need to stress out that for what Chicago Dan described, the bash vulnerability is a red herring.

Asyn · « **Reply #9 on:** September 30, 2014, 02:07:44 PM »

You're welcome and you're right.

REDACTED · « **Reply #10 on:** October 06, 2014, 05:23:33 AM »

You guys are in total denial! iPhoto, Avast, Firefox ALL DEAD. All the programs had their UPDATE Coms infected. Windows and non systems files (thumbs.dp for example) were all infected. If I do not let Amazon and Google certificates in, my browser denies me service. Apple updated 3 times this week. Firefox can't be reinstall.
A decade of assembly language and battling government sponsored industrial software qualifies me to know what a worm is dummy.

specimen9999 · « **Reply #11 on:** October 06, 2014, 06:14:05 AM »

Quote from: ChicagoDan on October 06, 2014, 05:23:33 AM

You guys are in total denial! iPhoto, Avast, Firefox ALL DEAD. All the programs had their UPDATE Coms infected. Windows and non systems files (thumbs.dp for example) were all infected. If I do not let Amazon and Google certificates in, my browser denies me service. Apple updated 3 times this week. Firefox can't be reinstall.
A decade of assembly language and battling government sponsored industrial software qualifies me to know what a worm is dummy.

I'm sorry, but what you are saying makes no sense, you're confusing many different things.
And what the hell is 'government sponsored industrial software' and why does it need to be 'battled'? Do you mean 'government sponsored industrial espionage software'?

You clearly know much more than us, why don't you educate us and explain exactly how this worm infects Windows system files on OS X through the Shellshock vulnerability, and in the process explain what that has to do with the amount of updates Apple releases an your inability to reinstall Firefox, all that using your knowledge of assembly.

REDACTED · « **Reply #12 on:** October 11, 2014, 04:21:49 PM »

One of the reasons I'm with Avast is their help in containing Stuxnet which I was infected with(probably friendly fire). The most annoying things was that the evil work was done by x-aquitances (guessing that now are at moxproject or former Afcon Inc some others). I would like to thank the Hungarians (Budapest Instituete of Informatics) that did a lot of legwork. I will not disclose more since the utility low level assembly dudes that helped, need their privacy. Lucky that a precursor was used as an attack on the Venezuelan oil industry and some info was available. A lot of media lies are focused on the attack on Iran that probably did not slow them down more than a week (guessing from Siemens dudes info).
My Mac is in a more stable situation now. The usual default spies are in and I just make their life difficult from time to time. It just takes to much of my time to fight battles. I have a life to live. Cleaning appliances such as computers should not take more than dishes.
Just a few more words that might help those that are in the know. The attack on my Mac made notes on the usage of Apple utilities (Activity Monitor, Terminal, Journaling, ComFile that was also used by Avast Web Rep Proxy etc). It even tried to make a secret partition. This was huge!
I will give Avast a month to adapt before reinstalling. Firefox wholes were the most dificult to contain while Safari is back to the usual spies (a lot less than before but Apple had some success).

specimen9999 · « **Reply #13 on:** October 11, 2014, 06:16:47 PM »

Quote from: ChicagoDan on October 11, 2014, 04:21:49 PM

One of the reasons I'm with Avast is their help in containing Stuxnet which I was infected with(probably friendly fire). The most annoying things was that the evil work was done by x-aquitances (guessing that now are at moxproject or former Afcon Inc some others). I would like to thank the Hungarians (Budapest Instituete of Informatics) that did a lot of legwork. I will not disclose more since the utility low level assembly dudes that helped, need their privacy. Lucky that a precursor was used as an attack on the Venezuelan oil industry and some info was available. A lot of media lies are focused on the attack on Iran that probably did not slow them down more than a week (guessing from Siemens dudes info).
My Mac is in a more stable situation now. The usual default spies are in and I just make their life difficult from time to time. It just takes to much of my time to fight battles. I have a life to live. Cleaning appliances such as computers should not take more than dishes.
Just a few more words that might help those that are in the know. The attack on my Mac made notes on the usage of Apple utilities (Activity Monitor, Terminal, Journaling, ComFile that was also used by Avast Web Rep Proxy etc). It even tried to make a secret partition. This was huge!
I will give Avast a month to adapt before reinstalling. Firefox wholes were the most dificult to contain while Safari is back to the usual spies (a lot less than before but Apple had some success).

lol...

The reason why I know you don't know what you are talking about is that you don't actually post any information that is concrete, usable or relevant. In fact some of the things you posted are incorrect. Just FUD, and a story about Stuxnet that is irrelevant to the current thread.

Also, if you actually believe in everything you said, then I think you are delusional.

"and battling government sponsored industrial software qualifies me to know what a worm is dummy."
Oh yeah... So what you meant was Stuxnet. The fact that you got infected by Stuxnet and had to deal with it does not qualify for anything. And you probably want to use a comma between is and dummy if you want to call me dummy instead of the worm.

Author Topic: Shellshock OSX10.8.3 (Read 6807 times)

REDACTED

Shellshock OSX10.8.3

REDACTED

Re: Shellshock OSX10.8.3

specimen9999

Re: Shellshock OSX10.8.3

Asyn

Re: Shellshock OSX10.8.3

specimen9999

Re: Shellshock OSX10.8.3

Asyn

Re: Shellshock OSX10.8.3

specimen9999

Re: Shellshock OSX10.8.3

Asyn

Re: Shellshock OSX10.8.3

specimen9999

Re: Shellshock OSX10.8.3

Asyn

Re: Shellshock OSX10.8.3

REDACTED

Re: Shellshock OSX10.8.3

specimen9999

Re: Shellshock OSX10.8.3

REDACTED

Re: Shellshock OSX10.8.3

specimen9999

Re: Shellshock OSX10.8.3