Digging Into ShellShock Exploitation Attempts Using ShockPot Data

<p>Late last week we developed and relasesed a new open source honeypot, <a href="https://github.com/threatstream/shockpot">Shockpot</a>, designed to mimic servers vulnerable to ShellShock (<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271">CVE-2014-6271</a>) and automatically download payloads from exploitation attempts.  In this blog post we characterize the attacks our global deployment of Shockpot honeypots saw as well as the payloads they were able to pull down.</p><h2>Exploitation Attempts Seen</h2><p>The exploit attempts we saw could be categorized into three buckets:</p><ul><li>Simple vulnerability tests</li><li>Simple vulnerability tests that caused outbound traffic</li><li>True exploitation attempts that causes malware to be downloaded and executed</li></ul><h3>Simple Tests for the vulnerability</h3><p>These requests either echoed text to stdout, executed a command such as uname, or attempted to cause a measurable delay in the page load time by using sleep commands.  We speculate these attempts are mostly security researchers or someone trying to gather global metrics on this vulnerability.  Most of these exact requests were seen across most of our geo-dispersed honeypots.  Duplicate requests have been removed and the honeypot IPs have been anonymized.</p><p><strong>IPs Involved:</strong></p><ul><li>    128.199.223.129 (Singapore; Digial Ocean)</li><li>    192.99.247.174 (Canda; OVH Hosting)</li><li>    193.0.200.134 (Russia; MediaServicePlus Ltd.)</li><li>    54.251.83.67 (Sinapore; Amazon.com Tech Telecom)</li></ul><p><strong>HTTP Requests:</strong></p> <script src="https://gist.github.com/jt6211/d3eb1a5cf5ef0b6a1cef.js"></script> <h3>Simple vulnerability tests that caused outbound traffic:</h3><p>All of these requests caused the honeypots to attempt outbound connections by using wget, curl, or UNIX's tcp/udp device.  ShockPot is designed to detect these types of exploitation attempts and it actually reaches out and makes network connections to mimic a truly vulnerable system.  </p><p><strong>IPs Invloved:</strong></p><p>    192.99.247.174 (Canda; OVH Hosting)<br/>     37.48.65.71 (Netherlands: LeaseWeb B.V.)<br/>     82.221.128.206 (Iceland; THOR Data Center ehf)</p><p><strong>Servers involved:</strong></p><p>    vulnerable.shellshocker.net/192.99.247.174 (Canada; OVH Hosting)<br/>     107.170.77.222 (New York, US; Digital Ocean)<br/>     82.221.105.197 (Iceland; THOR Data Center ehf)</p><p><strong>HTTP Requests</strong></p> <script src="https://gist.github.com/jt6211/c0fc8524896ce5fd7a3f.js"></script> <h3>True Exploitation Attempts:</h3><p>All of these requests attempted to exploit the vulnerability in order to download and execute malicious code.  ShockPot is designed to detect these types of exploitation attempts and it will download the payloads for analysis.   More on this later.  Most of these exploitation attempts were seen across almost all of our honeypots - meaning these scans are likely occurring broadly across the entire Internet.  All of these exploitation attempts downloaded malicious code in the form of DDoS bots, IRC bots, or simple reverse shells.  Most of these malicious payloads are now detected by VirusTotal (see links to VT reports below).</p><p><strong>IPs Involved:</strong><br/>     103.10.87.220 (China; Elink-space (Beijing) Technology Co,. Ltd)<br/>     121.9.244.212 (China; China Telecom Guangdong)<br/>     202.122.21.106 (India; Karuturi Telecom Pvt Ltd)<br/>     217.72.242.16 (United Kingdom; DataPipe)<br/>     46.246.34.82 (Sweden; CYBERDYNE)<br/>     63.131.141.125 (San Antonia, TX, USA; DataPipe)<br/>     67.227.0.73 (Las Vegas, NV, USA; Colocation America Corporation)<br/>     70.42.149.71 (Falls Church, VA, USA; Internap Network Services Corporation)<br/>     75.148.216.82 (Houston, TX, USA; Comcast Business Communications)<br/>     82.97.19.69 (France; TAS France)<br/>     94.32.106.53 (Italy; Tiscali B2B)</p><p><strong>Dropper Servers Involved:</strong><br/>     74.201.85.69 (Long Beach, CA, USA; Internap Network Services Corporation)<br/>     stablehost.us (Does not resolve)<br/>     sbd.awardspace.com/83.125.22.143 (Germany; AttractSoft GmbH)<br/>     174.143.240.43 (San Antonio, TX, USA; Rackspace Hosting)<br/>     70.246.162.102 (Tulas, OK, USA; Perimeter Technology Center, LLC)</p><p><strong>C2 Servers (from downloaded payloads):</strong><br/>     us.bot.nu/64.106.253.226 (Jersey City, NJ, USA; DataPipe)<br/>     46.246.34.82 (Sweden; CYBERDYNE)<br/>     stablehost.us (Does not resolve)<br/>     3.4.5.6    (Farfield, VA, USA)</p><p><strong>HTTP Requests:</strong></p> <script src="https://gist.github.com/jt6211/30ee4a0db160478c0392.js"></script> <h2>Payloads Downloaded</h2><p>Many of the exploitation attempts caused our honeypots to download payloads that the attackers intended to execute. Our honeypots captured these files for analysis.</p><p>For the sake of brevity we are not going to post the full code of all the payloads retrieved here. They can be found on my Github account as gists <a href="https://gist.github.com/jt6211/9814062ccf4f02a925a1">here</a> and are listed out individually below along with links to VirusTotal reports. Most of these are identified as one of the following: Mal/PerlBot-A, Perl.Pircbot, PERL_SHELLBOT.CE, PERL/ShellBot, Backdoor.Perl.Shellbot.F, or Perl.Shellbot.T.</p><ul><li><a href="https://gist.github.com/jt6211/9814062ccf4f02a925a1#file-f96b9106798be1160fcffb1d172e33b1-pl">f96b9106798be1160fcffb1d172e33b1.pl</a>: <a href="https://www.virustotal.com/en/file/95958316ddb78d11f8d2cdd17a98651f7bd69c1c6dc3a89313095eb1dd12b371/analysis/">VT report</a></li><li><a href="https://gist.github.com/jt6211/9814062ccf4f02a925a1#file-f96b9106798be1160fcffb1d172e33b1-decoded-pl">f96b9106798be1160fcffb1d172e33b1-decoded.pl</a>: <a href="https://www.virustotal.com/en/file/d8187b19612392ee3e0653a11ac0ad3b49f7bb83c4844f2145310ae08d024f4d/analysis/">VT report</a></li><li><a href="https://gist.github.com/jt6211/9814062ccf4f02a925a1#file-16fea67dfbcbdf04086ec3b3f0687b7b-pl">16fea67dfbcbdf04086ec3b3f0687b7b.pl</a>: <a href="https://www.virustotal.com/en/file/6e02c58949426a5455322b017e63dd7fc6228598029a150812360a6687b93e72/analysis/">VT report</a></li><li><a href="https://gist.github.com/jt6211/9814062ccf4f02a925a1#file-2120361f5e06e89e9387d044c7b0e7b0-sh">2120361f5e06e89e9387d044c7b0e7b0.sh</a>: <a href="https://www.virustotal.com/en/file/1bd24270449047e2d0df9f7a5ecf58fd0647e25b55328c52c6cff6629a118530/analysis/">VT report</a></li><li><a href="https://gist.github.com/jt6211/9814062ccf4f02a925a1#file-80676378ccc1a7a5fba723886a0a1aea-pl">80676378ccc1a7a5fba723886a0a1aea.pl</a>: <a href="https://www.virustotal.com/en/file/cf21577105ad3efa6c4e98a20b28cc4dbcf7b94a208bf97e61a4dde5fc59ee0e/analysis/">VT report</a></li></ul><p>If you are interested in deploying <a href="https://github.com/threatstream/shockpot">ShockPot</a> or any other honeypots in your network, check out ThreatStream's Modern Honey Network (MHN), our open source (GPLv3) honeypot management platform.  See MHN's <a href="http://threatstream.github.io/mhn/">website</a> or <a href="https://github.com/threatstream/mhn">github repository</a> for more details.  </p>