Slightly more than a week after the bug's disclosure, the attacks on domains might have already peaked, according to new research.
Slightly more than a week after the bug's disclosure, the attacks on domains might have already peaked, according to new research.

Shellshock is continuing to make waves in the digital world, but if new research is any indication, scans for the bug seem to be slowing down and attacks might have already peaked.

Attacks on domains reached its height in the days following the bug's disclosure on Sept. 24. One study by Akamai researchers found that targeted domain attacks reached a high of 8,021 only three days later. The following day, Sept. 28, those domain attacks were cut nearly in half, dropping to 4,576.

Michael Smith, CSIRT director at Akamai, attributes the drop to users scanning their own systems immediately after finding out about the bug. The tapering off could be indicative of more effective patching, or a clear assessment of affected devices already being performed. However, Smith wasn't completely sure this was the case.

“But it [the drop] also reminds me that correlation is not causation,” Smith said in an interview with SCMagazine.com. “Although it indicates that might be what's happening.”

The same was also seen in the unique payload attacks per day. On Sept. 27, the number peaked at 20,753. A day later, it was down to 15,071.

For attackers, Bash bug might have initially seemed to open up a new playing ground to explore post-Heartbleed, but in reality, vulnerable systems are difficult to find in the wild.

“It's more difficult to exploit the bash bug, but if you're successful, it can be more severe,” said Ben Feinstein, director of operation and development for the Dell SecureWorks Counter Threat Unit, in a Thursday interview with SCMagazine.com

If an exploitable device is found, attackers can execute commands, whereas with Heartbleed, a successful attack could turn over information, such as passwords or encryption keys, wrote Dennis Dwyer, senior security researcher for the Counter Threat research team, in an email correspondence with SCMagazine.com. Attackers can use recycled script, for instance, but ultimately, finding those devices proves difficult. This could become an attack deterrent.

Still, compared to Heartbleed, the level of expertise required to exploit Bash is significantly less, which could make it attractive to attackers. Some experts expect the attacks might dwindle, though.

“Potentially, people have completed their scans and learned what they wanted to learn,” Dwyer said. “There will always be threat actors out there exploiting the Bash vulnerability, and it will slowly taper off over time.”