A computer bug that a Salinas security expert said is infecting computers without the users being aware has the potential to allow hackers to take over an entire device.
Luis Alvarez, president and chief executive of Alvarez Technology Group, said Wednesday that the â€œShellshockâ€ software bug is in some ways more significant than â€œHeartbleed,â€ which began attacking computers last spring. While Heartbleed could be used to steal passwords from a server, Shellshock can be used to take over the entire machine, Alvarez said.
The bug attacks computers running Unix or Linux operating systems, which generally run on larger enterprise-level servers that businesses use. It does not directly attack Windows or Android operating systems, but it is still dangerous for those machines.
A program running on Unix or Linux, called â€œBashâ€ â€“ a sort of a software interpreter that executes commands from a user. On a Windows machine, it is similar to â€œcommand.exe.â€ Itâ€™s clever because it doesnâ€™t act like an attacking virus.
The Bash program thinks itâ€™s just another executable command. But once Bash is infected, Shellshock sends an encrypted message back to the â€œmothershipâ€ residing in Eastern Europe or other locations with lax security. At that point, the hackerâ€™s computer begins to download whatâ€™s called â€œmalware.â€
Malware is short for â€œmalicious software.â€ Malware is any kind of unwanted software installed without your adequate consent. Viruses, worms and Trojan horses are examples of malicious software.
One example of malware Alvarez offered up is â€œkeyloggers.â€ This bug can log what keys you are typing on your keypad. Letâ€™s say you are an Amazon.com customer, and you log into your account. A keylogger will track what keys you hit, providing it with a URL, username and password. The next thing you know, your credit card is debited for thousands of dollars of Amazon merchandise.
So what Shellshock does is open the gate of a Unix or Linus system to let all the malware the hacker wants to download into your computer.
â€œItâ€™s like a back door into someoneâ€™s system,â€ Alvarez said.
If you are running Windows on your home PC, Shellshock wonâ€™t load on your computer. But hereâ€™s the danger: If you are conducting transactions or other activities with a Unix-based server operating a website, for example, and the website server is infected with Shellshock, then all that malware that now has the green light can be downloaded to your PC and begin the dirty work.
An official alert from the National Institute of Standards and Technology warned that that the vulnerability was a 10 out of 10 in terms of its severity, impact and exploitability. At the same time, it is very easy to use by hackers.
There are computer patches available from the particular makers of Unix or Linux operating systems loaded at the time of the computer purchase. The problem, Alvarez said, is that there is no indication anything is wrong with a computer.
This is not something even savvy computer users should attempt by themselves.
â€œThis level of security best left to professionals,â€ Alvarez said. â€œIt might create more problems than you solve.â€
The Department of Homeland Securityâ€™s Computer Emergency Readiness Team advised users and technology administrators to refer to their Linux or Unix-based operating systems suppliers for an appropriate patch.
A piece of advice for Unix and Linux users: If youâ€™re running Bash 4.3 or older, Alvarez recommends upgrading to the most current version.
Dennis L. Taylor covers business and technology for TheCalifornian.com. Follow him on Twitter @taylor_salnews.