Blog

Digging Into ShellShock Exploitation Attempts Using ShockPot Data

A detailed writeup on ShellShock exploitation attempts captured by ThreatStream's open source ShockPot honeypot. Used Modern Honey Network (MHN) for all data collection and analysis.

Greg Martin
September 29, 2014
Table of contents
<p>Late last week we developed and relasesed a new open source honeypot, <a href="https://github.com/threatstream/shockpot">Shockpot</a>, designed to mimic servers vulnerable to ShellShock (<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271">CVE-2014-6271</a>) and automatically download payloads from exploitation attempts.  In this blog post we characterize the attacks our global deployment of Shockpot honeypots saw as well as the payloads they were able to pull down.</p><h2>Exploitation Attempts Seen</h2><p>The exploit attempts we saw could be categorized into three buckets:</p><ul><li>Simple vulnerability tests</li><li>Simple vulnerability tests that caused outbound traffic</li><li>True exploitation attempts that causes malware to be downloaded and executed</li></ul><h3>Simple Tests for the vulnerability</h3><p>These requests either echoed text to stdout, executed a command such as uname, or attempted to cause a measurable delay in the page load time by using sleep commands.  We speculate these attempts are mostly security researchers or someone trying to gather global metrics on this vulnerability.  Most of these exact requests were seen across most of our geo-dispersed honeypots.  Duplicate requests have been removed and the honeypot IPs have been anonymized.</p><p><strong>IPs Involved:</strong></p><ul><li>    128.199.223.129 (Singapore; Digial Ocean)</li><li>    192.99.247.174 (Canda; OVH Hosting)</li><li>    193.0.200.134 (Russia; MediaServicePlus Ltd.)</li><li>    54.251.83.67 (Sinapore; Amazon.com Tech Telecom)</li></ul><p><strong>HTTP Requests:</strong></p> <script src="https://gist.github.com/jt6211/d3eb1a5cf5ef0b6a1cef.js"></script> <h3>Simple vulnerability tests that caused outbound traffic:</h3><p>All of these requests caused the honeypots to attempt outbound connections by using wget, curl, or UNIX's tcp/udp device.  ShockPot is designed to detect these types of exploitation attempts and it actually reaches out and makes network connections to mimic a truly vulnerable system.  </p><p><strong>IPs Invloved:</strong></p><p>    192.99.247.174 (Canda; OVH Hosting)<br/>     37.48.65.71 (Netherlands: LeaseWeb B.V.)<br/>     82.221.128.206 (Iceland; THOR Data Center ehf)</p><p><strong>Servers involved:</strong></p><p>    vulnerable.shellshocker.net/192.99.247.174 (Canada; OVH Hosting)<br/>     107.170.77.222 (New York, US; Digital Ocean)<br/>     82.221.105.197 (Iceland; THOR Data Center ehf)</p><p><strong>HTTP Requests</strong></p> <script src="https://gist.github.com/jt6211/c0fc8524896ce5fd7a3f.js"></script> <h3>True Exploitation Attempts:</h3><p>All of these requests attempted to exploit the vulnerability in order to download and execute malicious code.  ShockPot is designed to detect these types of exploitation attempts and it will download the payloads for analysis.   More on this later.  Most of these exploitation attempts were seen across almost all of our honeypots - meaning these scans are likely occurring broadly across the entire Internet.  All of these exploitation attempts downloaded malicious code in the form of DDoS bots, IRC bots, or simple reverse shells.  Most of these malicious payloads are now detected by VirusTotal (see links to VT reports below).</p><p><strong>IPs Involved:</strong><br/>     103.10.87.220 (China; Elink-space (Beijing) Technology Co,. Ltd)<br/>     121.9.244.212 (China; China Telecom Guangdong)<br/>     202.122.21.106 (India; Karuturi Telecom Pvt Ltd)<br/>     217.72.242.16 (United Kingdom; DataPipe)<br/>     46.246.34.82 (Sweden; CYBERDYNE)<br/>     63.131.141.125 (San Antonia, TX, USA; DataPipe)<br/>     67.227.0.73 (Las Vegas, NV, USA; Colocation America Corporation)<br/>     70.42.149.71 (Falls Church, VA, USA; Internap Network Services Corporation)<br/>     75.148.216.82 (Houston, TX, USA; Comcast Business Communications)<br/>     82.97.19.69 (France; TAS France)<br/>     94.32.106.53 (Italy; Tiscali B2B)</p><p><strong>Dropper Servers Involved:</strong><br/>     74.201.85.69 (Long Beach, CA, USA; Internap Network Services Corporation)<br/>     stablehost.us (Does not resolve)<br/>     sbd.awardspace.com/83.125.22.143 (Germany; AttractSoft GmbH)<br/>     174.143.240.43 (San Antonio, TX, USA; Rackspace Hosting)<br/>     70.246.162.102 (Tulas, OK, USA; Perimeter Technology Center, LLC)</p><p><strong>C2 Servers (from downloaded payloads):</strong><br/>     us.bot.nu/64.106.253.226 (Jersey City, NJ, USA; DataPipe)<br/>     46.246.34.82 (Sweden; CYBERDYNE)<br/>     stablehost.us (Does not resolve)<br/>     3.4.5.6    (Farfield, VA, USA)</p><p><strong>HTTP Requests:</strong></p> <script src="https://gist.github.com/jt6211/30ee4a0db160478c0392.js"></script> <h2>Payloads Downloaded</h2><p>Many of the exploitation attempts caused our honeypots to download payloads that the attackers intended to execute. Our honeypots captured these files for analysis.</p><p>For the sake of brevity we are not going to post the full code of all the payloads retrieved here. They can be found on my Github account as gists <a href="https://gist.github.com/jt6211/9814062ccf4f02a925a1">here</a> and are listed out individually below along with links to VirusTotal reports. Most of these are identified as one of the following: Mal/PerlBot-A, Perl.Pircbot, PERL_SHELLBOT.CE, PERL/ShellBot, Backdoor.Perl.Shellbot.F, or Perl.Shellbot.T.</p><ul><li><a href="https://gist.github.com/jt6211/9814062ccf4f02a925a1#file-f96b9106798be1160fcffb1d172e33b1-pl">f96b9106798be1160fcffb1d172e33b1.pl</a>: <a href="https://www.virustotal.com/en/file/95958316ddb78d11f8d2cdd17a98651f7bd69c1c6dc3a89313095eb1dd12b371/analysis/">VT report</a></li><li><a href="https://gist.github.com/jt6211/9814062ccf4f02a925a1#file-f96b9106798be1160fcffb1d172e33b1-decoded-pl">f96b9106798be1160fcffb1d172e33b1-decoded.pl</a>: <a href="https://www.virustotal.com/en/file/d8187b19612392ee3e0653a11ac0ad3b49f7bb83c4844f2145310ae08d024f4d/analysis/">VT report</a></li><li><a href="https://gist.github.com/jt6211/9814062ccf4f02a925a1#file-16fea67dfbcbdf04086ec3b3f0687b7b-pl">16fea67dfbcbdf04086ec3b3f0687b7b.pl</a>: <a href="https://www.virustotal.com/en/file/6e02c58949426a5455322b017e63dd7fc6228598029a150812360a6687b93e72/analysis/">VT report</a></li><li><a href="https://gist.github.com/jt6211/9814062ccf4f02a925a1#file-2120361f5e06e89e9387d044c7b0e7b0-sh">2120361f5e06e89e9387d044c7b0e7b0.sh</a>: <a href="https://www.virustotal.com/en/file/1bd24270449047e2d0df9f7a5ecf58fd0647e25b55328c52c6cff6629a118530/analysis/">VT report</a></li><li><a href="https://gist.github.com/jt6211/9814062ccf4f02a925a1#file-80676378ccc1a7a5fba723886a0a1aea-pl">80676378ccc1a7a5fba723886a0a1aea.pl</a>: <a href="https://www.virustotal.com/en/file/cf21577105ad3efa6c4e98a20b28cc4dbcf7b94a208bf97e61a4dde5fc59ee0e/analysis/">VT report</a></li></ul><p>If you are interested in deploying <a href="https://github.com/threatstream/shockpot">ShockPot</a> or any other honeypots in your network, check out ThreatStream's Modern Honey Network (MHN), our open source (GPLv3) honeypot management platform.  See MHN's <a href="http://threatstream.github.io/mhn/">website</a> or <a href="https://github.com/threatstream/mhn">github repository</a> for more details.  </p>
Greg Martin

Greg Martin is the founder of Anomali (formerly ThreatStream) and currently serves as a strategic advisor. Greg is a cybersecurity expert with over 15 years industry experience. He has held CISO, product, consulting, and management roles over the span of his career. He was actively involved battling cyber criminals as a technical adviser to the FBI, the United States Secret Service, and NASA, and has consulted with numerous Fortune 500 companies as a practice-leading consultant for ArcSight (acquired by HP).

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

September 29, 2014
-
Greg Martin
,

Digging Into ShellShock Exploitation Attempts Using ShockPot Data

<p>Late last week we developed and relasesed a new open source honeypot, <a href="https://github.com/threatstream/shockpot">Shockpot</a>, designed to mimic servers vulnerable to ShellShock (<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271">CVE-2014-6271</a>) and automatically download payloads from exploitation attempts.  In this blog post we characterize the attacks our global deployment of Shockpot honeypots saw as well as the payloads they were able to pull down.</p><h2>Exploitation Attempts Seen</h2><p>The exploit attempts we saw could be categorized into three buckets:</p><ul><li>Simple vulnerability tests</li><li>Simple vulnerability tests that caused outbound traffic</li><li>True exploitation attempts that causes malware to be downloaded and executed</li></ul><h3>Simple Tests for the vulnerability</h3><p>These requests either echoed text to stdout, executed a command such as uname, or attempted to cause a measurable delay in the page load time by using sleep commands.  We speculate these attempts are mostly security researchers or someone trying to gather global metrics on this vulnerability.  Most of these exact requests were seen across most of our geo-dispersed honeypots.  Duplicate requests have been removed and the honeypot IPs have been anonymized.</p><p><strong>IPs Involved:</strong></p><ul><li>    128.199.223.129 (Singapore; Digial Ocean)</li><li>    192.99.247.174 (Canda; OVH Hosting)</li><li>    193.0.200.134 (Russia; MediaServicePlus Ltd.)</li><li>    54.251.83.67 (Sinapore; Amazon.com Tech Telecom)</li></ul><p><strong>HTTP Requests:</strong></p> <script src="https://gist.github.com/jt6211/d3eb1a5cf5ef0b6a1cef.js"></script> <h3>Simple vulnerability tests that caused outbound traffic:</h3><p>All of these requests caused the honeypots to attempt outbound connections by using wget, curl, or UNIX's tcp/udp device.  ShockPot is designed to detect these types of exploitation attempts and it actually reaches out and makes network connections to mimic a truly vulnerable system.  </p><p><strong>IPs Invloved:</strong></p><p>    192.99.247.174 (Canda; OVH Hosting)<br/>     37.48.65.71 (Netherlands: LeaseWeb B.V.)<br/>     82.221.128.206 (Iceland; THOR Data Center ehf)</p><p><strong>Servers involved:</strong></p><p>    vulnerable.shellshocker.net/192.99.247.174 (Canada; OVH Hosting)<br/>     107.170.77.222 (New York, US; Digital Ocean)<br/>     82.221.105.197 (Iceland; THOR Data Center ehf)</p><p><strong>HTTP Requests</strong></p> <script src="https://gist.github.com/jt6211/c0fc8524896ce5fd7a3f.js"></script> <h3>True Exploitation Attempts:</h3><p>All of these requests attempted to exploit the vulnerability in order to download and execute malicious code.  ShockPot is designed to detect these types of exploitation attempts and it will download the payloads for analysis.   More on this later.  Most of these exploitation attempts were seen across almost all of our honeypots - meaning these scans are likely occurring broadly across the entire Internet.  All of these exploitation attempts downloaded malicious code in the form of DDoS bots, IRC bots, or simple reverse shells.  Most of these malicious payloads are now detected by VirusTotal (see links to VT reports below).</p><p><strong>IPs Involved:</strong><br/>     103.10.87.220 (China; Elink-space (Beijing) Technology Co,. Ltd)<br/>     121.9.244.212 (China; China Telecom Guangdong)<br/>     202.122.21.106 (India; Karuturi Telecom Pvt Ltd)<br/>     217.72.242.16 (United Kingdom; DataPipe)<br/>     46.246.34.82 (Sweden; CYBERDYNE)<br/>     63.131.141.125 (San Antonia, TX, USA; DataPipe)<br/>     67.227.0.73 (Las Vegas, NV, USA; Colocation America Corporation)<br/>     70.42.149.71 (Falls Church, VA, USA; Internap Network Services Corporation)<br/>     75.148.216.82 (Houston, TX, USA; Comcast Business Communications)<br/>     82.97.19.69 (France; TAS France)<br/>     94.32.106.53 (Italy; Tiscali B2B)</p><p><strong>Dropper Servers Involved:</strong><br/>     74.201.85.69 (Long Beach, CA, USA; Internap Network Services Corporation)<br/>     stablehost.us (Does not resolve)<br/>     sbd.awardspace.com/83.125.22.143 (Germany; AttractSoft GmbH)<br/>     174.143.240.43 (San Antonio, TX, USA; Rackspace Hosting)<br/>     70.246.162.102 (Tulas, OK, USA; Perimeter Technology Center, LLC)</p><p><strong>C2 Servers (from downloaded payloads):</strong><br/>     us.bot.nu/64.106.253.226 (Jersey City, NJ, USA; DataPipe)<br/>     46.246.34.82 (Sweden; CYBERDYNE)<br/>     stablehost.us (Does not resolve)<br/>     3.4.5.6    (Farfield, VA, USA)</p><p><strong>HTTP Requests:</strong></p> <script src="https://gist.github.com/jt6211/30ee4a0db160478c0392.js"></script> <h2>Payloads Downloaded</h2><p>Many of the exploitation attempts caused our honeypots to download payloads that the attackers intended to execute. Our honeypots captured these files for analysis.</p><p>For the sake of brevity we are not going to post the full code of all the payloads retrieved here. They can be found on my Github account as gists <a href="https://gist.github.com/jt6211/9814062ccf4f02a925a1">here</a> and are listed out individually below along with links to VirusTotal reports. Most of these are identified as one of the following: Mal/PerlBot-A, Perl.Pircbot, PERL_SHELLBOT.CE, PERL/ShellBot, Backdoor.Perl.Shellbot.F, or Perl.Shellbot.T.</p><ul><li><a href="https://gist.github.com/jt6211/9814062ccf4f02a925a1#file-f96b9106798be1160fcffb1d172e33b1-pl">f96b9106798be1160fcffb1d172e33b1.pl</a>: <a href="https://www.virustotal.com/en/file/95958316ddb78d11f8d2cdd17a98651f7bd69c1c6dc3a89313095eb1dd12b371/analysis/">VT report</a></li><li><a href="https://gist.github.com/jt6211/9814062ccf4f02a925a1#file-f96b9106798be1160fcffb1d172e33b1-decoded-pl">f96b9106798be1160fcffb1d172e33b1-decoded.pl</a>: <a href="https://www.virustotal.com/en/file/d8187b19612392ee3e0653a11ac0ad3b49f7bb83c4844f2145310ae08d024f4d/analysis/">VT report</a></li><li><a href="https://gist.github.com/jt6211/9814062ccf4f02a925a1#file-16fea67dfbcbdf04086ec3b3f0687b7b-pl">16fea67dfbcbdf04086ec3b3f0687b7b.pl</a>: <a href="https://www.virustotal.com/en/file/6e02c58949426a5455322b017e63dd7fc6228598029a150812360a6687b93e72/analysis/">VT report</a></li><li><a href="https://gist.github.com/jt6211/9814062ccf4f02a925a1#file-2120361f5e06e89e9387d044c7b0e7b0-sh">2120361f5e06e89e9387d044c7b0e7b0.sh</a>: <a href="https://www.virustotal.com/en/file/1bd24270449047e2d0df9f7a5ecf58fd0647e25b55328c52c6cff6629a118530/analysis/">VT report</a></li><li><a href="https://gist.github.com/jt6211/9814062ccf4f02a925a1#file-80676378ccc1a7a5fba723886a0a1aea-pl">80676378ccc1a7a5fba723886a0a1aea.pl</a>: <a href="https://www.virustotal.com/en/file/cf21577105ad3efa6c4e98a20b28cc4dbcf7b94a208bf97e61a4dde5fc59ee0e/analysis/">VT report</a></li></ul><p>If you are interested in deploying <a href="https://github.com/threatstream/shockpot">ShockPot</a> or any other honeypots in your network, check out ThreatStream's Modern Honey Network (MHN), our open source (GPLv3) honeypot management platform.  See MHN's <a href="http://threatstream.github.io/mhn/">website</a> or <a href="https://github.com/threatstream/mhn">github repository</a> for more details.  </p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.