Simply patching systems against the Bash/Shellshock vulnerability may not be adequate. Attacks exploiting the flaw appeared within a day of its disclosure. Those attacks may have made changes to systems that would not be remedied by the application of a patch. The problem is due in part to the incomplete patches that were issued initially. Attackers reportedly exploited Bash/Shellshock to create a botnet for a phishing campaign against Spanish-speaking Citibank customers. Many of the compromised machines are running Linux. The command-and-control server for the botnet has been taken offline.
Is it likely that bash code is worse than all the other code that we are using, or are we only finding these problems here because this is where we are looking? We are here because, at least collectively, this is where we chose to be.
source: SANS Institute