Worm Burrows Into Storage Servers Via Shellshock Flaw | eWeek

Worm Burrows Into Storage Servers Via Shellshock Flaw

Shellshock vulnerability
Verfasst von
Robert Lemos
Robert Lemos
Dec 17, 2014
2 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

Attackers are targeting a popular brand of network-attached storage (NAS) systems using the well-known Shellshock vulnerability to compromise the devices and install a backdoor that automatically scans for more potential victims, according to security researchers.

The attack, which qualifies as a worm, uses a previously known vulnerability in popular NAS devices made by QNAP, according to an analysis published by the SANS Institute. While the Shellshock vulnerability affects the Bourne Again Shell (BASH), a popular terminal program on Linux and Unix systems, attackers can trigger the vulnerability through other programs that use the shell for scripting. In this case, the attack exploits a Web script on the QNAP storage servers.

Storage systems—many of which have a built-in Web server as a management interface—will continue to be a popular target of attackers because they typically house valuable data, Johannes Ullrich, dean of research for the SANS Technology Institute, told eWEEK.

“They are pretty capable servers, but also rich in vulnerabilities and there typically is no easy way to patch them,” he said. “Also, there is no alert [that a patch is available] unless you connect to the device, which you don’t normally do.”

The critical vulnerability in the BASH program, widely known as Shellshock, was disclosed on Sept. 24. Attackers quickly began exploiting the software bug using a popular Web scripting framework known as the Common Gateway Interface (CGI). Within the first week, security firm Imperva recorded more than 36,000 campaigns seeking out and attacking systems with the vulnerability.

In October, security firm FireEye warned that attackers had also begun targeting QNAP network attached storage (NAS) systems through its CGI scripts.

“All the targets we have observed thus far have been openly accessible QNAP NAS systems hosted on networks belonging to universities and research institutes in Japan and Korea, as well as one in the U.S.,” FireEye said in its own analysis in October.

Adding automatic propagation to the attack quickens the spread of the backdoor program, but also makes the attack more obvious. Many NAS systems are designed to be connected directly to the Internet, giving attackers a large population of targets.

While QNAP warned systems administrators to disconnect the devices until they patched the systems, the SANS Institute’s Ullrich recommended that such devices be placed behind a firewall, at the very least.

“The features are designed with them being exposed, however,” he said. “They do not come to a big warning to not connect them to the Internet, just the opposite.”

The compromised QNAP servers not only scans for new victims, but also conduct advertising click-fraud, a scam that generates affiliate ad revenue by clicking on advertising links.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.