Worm Burrows Into Storage Servers Via Shellshock Flaw | eWeek

Worm Burrows Into Storage Servers Via Shellshock Flaw

Shellshock vulnerability
Écrit par
Robert Lemos
Robert Lemos
Dec 17, 2014
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Attackers are targeting a popular brand of network-attached storage (NAS) systems using the well-known Shellshock vulnerability to compromise the devices and install a backdoor that automatically scans for more potential victims, according to security researchers.

The attack, which qualifies as a worm, uses a previously known vulnerability in popular NAS devices made by QNAP, according to an analysis published by the SANS Institute. While the Shellshock vulnerability affects the Bourne Again Shell (BASH), a popular terminal program on Linux and Unix systems, attackers can trigger the vulnerability through other programs that use the shell for scripting. In this case, the attack exploits a Web script on the QNAP storage servers.

Storage systems—many of which have a built-in Web server as a management interface—will continue to be a popular target of attackers because they typically house valuable data, Johannes Ullrich, dean of research for the SANS Technology Institute, told eWEEK.

“They are pretty capable servers, but also rich in vulnerabilities and there typically is no easy way to patch them,” he said. “Also, there is no alert [that a patch is available] unless you connect to the device, which you don’t normally do.”

The critical vulnerability in the BASH program, widely known as Shellshock, was disclosed on Sept. 24. Attackers quickly began exploiting the software bug using a popular Web scripting framework known as the Common Gateway Interface (CGI). Within the first week, security firm Imperva recorded more than 36,000 campaigns seeking out and attacking systems with the vulnerability.

In October, security firm FireEye warned that attackers had also begun targeting QNAP network attached storage (NAS) systems through its CGI scripts.

“All the targets we have observed thus far have been openly accessible QNAP NAS systems hosted on networks belonging to universities and research institutes in Japan and Korea, as well as one in the U.S.,” FireEye said in its own analysis in October.

Adding automatic propagation to the attack quickens the spread of the backdoor program, but also makes the attack more obvious. Many NAS systems are designed to be connected directly to the Internet, giving attackers a large population of targets.

While QNAP warned systems administrators to disconnect the devices until they patched the systems, the SANS Institute’s Ullrich recommended that such devices be placed behind a firewall, at the very least.

“The features are designed with them being exposed, however,” he said. “They do not come to a big warning to not connect them to the Internet, just the opposite.”

The compromised QNAP servers not only scans for new victims, but also conduct advertising click-fraud, a scam that generates affiliate ad revenue by clicking on advertising links.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.