First Impression
While browsing today’s reports of my Honey net, I noticed not one, but two abnormally large scans had occurred.430 events is rather high for a simple HTTP scan, especially one which yields nothing in return to each request. The two count discrepancy is also curious. A quick query for the distinct field “REDIRECT_URL” shows two entries which each have a count just one higher than the rest.
wallet.old.bkp, and cgminer.tgz are both items most likely expected to be related to Crypto Currency. CGminer is a Crypto Currency Miner, and wallet.old.bkp appears to reference a Crypto Currency Wallet. CGMiner is often observed as a common payload in broad scanning attacks.
The Requests
A quick query for the rest of the requests gives us further insight into the intent.List of Requests
/checknfurl123 /.365coin/365coin.conf /365coin.7z2 /365coin.bkp2 /365coin.bz22 /365coin.conf2 /365coin.dump2 /365coin.gz2 /365coin.lzma2 /365coin.rar2 /365coin.tar2 /365coin.tar.bz2 /365coin.tar.bz22 /365coin.tar.gz2 /365coin.tar.lzma2 /365coin.tar.xz2 /365coin.tbz2 /365coin.tbz22 /365coin.tgz2 /365coin.txz2 /365coin.xz2 /365coin.zip2 /backups/wallet.dat2 /backup.wallet.7z2 /backup.wallet.bkp2 /backup.wallet.bz22 /backup/wallet.dat2 /backup.wallet.dump2 /backup.wallet.gz2 /backup.wallet.lzma2 /backup.wallet.rar2 /backup.wallet.tar2 /backup.wallet.tar.bz2 /backup.wallet.tar.bz22 /backup.wallet.tar.gz2 /backup.wallet.tar.lzma2 /backup.wallet.tar.xz2 /backup.wallet.tbz2 /backup.wallet.tbz22 /backup.wallet.tgz2 /backup.wallet.txz2 /backup.wallet.xz2 /backup.wallet.zip2 /bfgminer.7z2 /.bfgminer/bfgminer.conf2 /bfgminer.bkp2 /bfgminer.bz22 /bfgminer.conf2 /bfgminer.dump2 /bfgminer.gz2 /bfgminer.lzma2 /bfgminer.rar2 /bfgminer.tar2 /bfgminer.tar.bz2 /bfgminer.tar.bz22 /bfgminer.tar.gz2 /bfgminer.tar.lzma2 /bfgminer.tar.xz2 /bfgminer.tbz2 /bfgminer.tbz22 /bfgminer.tgz2 /bfgminer.txz2 /bfgminer.xz2 /bfgminer.zip2 /bitcoin01.dat2 /bitcoin.7z2 /.bitcoin/bitcoin.conf2 /bitcoin.bkp2 /bitcoin.bz22 /bitcoin.conf2 /bitcoind.7z2 /bitcoin.dat2 /bitcoind.bkp2 /bitcoind.bz22 /bitcoind.dump2 /bitcoind.gz2 /bitcoind.lzma2 /bitcoind.rar2 /bitcoind.tar2 /bitcoind.tar.bz2 /bitcoind.tar.bz22 /bitcoind.tar.gz2 /bitcoind.tar.lzma2 /bitcoind.tar.xz2 /bitcoind.tbz2 /bitcoind.tbz22 /bitcoind.tgz2 /bitcoind.txz2 /bitcoin.dump2 /bitcoind.xz2 /bitcoind.zip2 /bitcoin.gz2 /bitcoin.lzma2 /bitcoin.rar2 /bitcoin.tar2 /bitcoin.tar.bz2 /bitcoin.tar.bz22 /bitcoin.tar.gz2 /bitcoin.tar.lzma2 /bitcoin.tar.xz2 /bitcoin.tbz2 /bitcoin.tbz22 /bitcoin.tgz2 /bitcoin.txz2 /.bitcoin/wallet.dat2 /bitcoin.xz2 /bitcoin.zip2 /blockchain.7z2 /blockchain.bkp2 /blockchain.bz22 /blockchain.dump2 /blockchain.gz2 /blockchain.lzma2 /blockchain.rar2 /blockchain.tar2 /blockchain.tar.bz2 /blockchain.tar.bz22 /blockchain.tar.gz2 /blockchain.tar.lzma2 /blockchain.tar.xz2 /blockchain.tbz2 /blockchain.tbz22 /blockchain.tgz2 /blockchain.txz2 /blockchain.xz2 /blockchain.zip2 /btc.7z2 /btc.bkp2 /btc.bz22 /btc.dat2 /btc.dump2 /btc.gz2 /btc.lzma2 /btc.rar2 /btc.tar2 /btc.tar.bz2 /btc.tar.bz22 /btc.tar.gz2 /btc.tar.lzma2 /btc.tar.xz2 /btc.tbz2 /btc.tbz22 /btc.tgz2 /btc.txz2 /btc.xz2 /btc.zip2 /cgminer.7z2 /cgminer.bkp2 /cgminer.bz22 /.cgminer/cgminer.conf2 /cgminer.conf2 /cgminer.dump2 /cgminer.gz2 /cgminer.lzma2 /cgminer.rar2 /cgminer.tar2 /cgminer.tar.bz2 /cgminer.tar.bz22 /cgminer.tar.gz2 /cgminer.tar.lzma2 /cgminer.tar.xz2 /cgminer.tbz2 /cgminer.tbz22 /cgminer.txz2 /cgminer.xz2 /cgminer.zip2 /coin.7z2 /coin.bkp2 /coin.bz22 /coin.dat2 /coin.dump2 /coin.gz2 /coin.lzma2 /coin.rar2 /coins.7z2 /coins.bkp2 /coins.bz22 /coins.dat2 /coins.dump2 /coins.gz2 /coins.lzma2 /coins.rar2 /coins.tar2 /coins.tar.bz2 /coins.tar.bz22 /coins.tar.gz2 /coins.tar.lzma2 /coins.tar.xz2 /coins.tbz2 /coins.tbz22 /coins.tgz2 /coins.txz2 /coins.xz2 /coins.zip2 /coin.tar2 /coin.tar.bz2 /coin.tar.bz22 /coin.tar.gz2 /coin.tar.lzma2 /coin.tar.xz2 /coin.tbz2 /coin.tbz22 /coin.tgz2 /coin.txz2 /coin.xz2 /coin.zip2 /feathercoin.conf2 /.feathercoin/wallet.dat2 /litecoin.7z2 /.litecoin/bitcoin.conf2 /litecoin.bkp2 /litecoin.bz22 /litecoin.conf2 /litecoin.dat2 /litecoin.dump2 /litecoin.gz2 /.litecoin/litecoin.conf2 /litecoin.lzma2 /litecoin.rar2 /litecoin.tar2 /litecoin.tar.bz2 /litecoin.tar.bz22 /litecoin.tar.gz2 /litecoin.tar.lzma2 /litecoin.tar.xz2 /litecoin.tbz2 /litecoin.tbz22 /litecoin.tgz2 /litecoin.txz2 /.litecoin/wallet.dat2 /litecoin.xz2 /litecoin.zip2 /money.7z2 /money.bkp2 /money.bz22 /money.dump2 /money.gz2 /money.lzma2 /money.rar2 /money.tar2 /money.tar.bz2 /money.tar.bz22 /money.tar.gz2 /money.tar.lzma2 /money.tar.xz2 /money.tbz2 /money.tbz22 /money.tgz2 /money.txz2 /money.xz2 /money.zip2 /namecoin.7z2 /.namecoin/bitcoin.conf2 /namecoin.bkp2 /namecoin.bz22 /namecoin.conf2 /namecoin.dat2 /namecoin.dump2 /namecoin.gz2 /namecoin.lzma2 /.namecoin/namecoin.conf2 /namecoin.rar2 /namecoin.tar2 /namecoin.tar.bz2 /namecoin.tar.bz22 /namecoin.tar.gz2 /namecoin.tar.lzma2 /namecoin.tar.xz2 /namecoin.tbz2 /namecoin.tbz22 /namecoin.tgz2 /namecoin.txz2 /.namecoin/wallet.dat2 /namecoin.xz2 /namecoin.zip2 /novacoin.7z2 /.novacoin/bitcoin.conf2 /novacoin.bkp2 /novacoin.bz22 /novacoin.conf2 /novacoin.dump2 /novacoin.gz2 /novacoin.lzma2 /.novacoin/novacoin.conf2 /novacoin.rar2 /novacoin.tar2 /novacoin.tar.bz2 /novacoin.tar.bz22 /novacoin.tar.gz2 /novacoin.tar.lzma2 /novacoin.tar.xz2 /novacoin.tbz2 /novacoin.tbz22 /novacoin.tgz2 /novacoin.txz2 /.novacoin/wallet.dat2 /novacoin.xz2 /novacoin.zip2 /ppcoin.7z2 /.ppcoin/bitcoin.conf2 /ppcoin.bkp2 /ppcoin.bz22 /ppcoin.conf2 /ppcoin.dump2 /ppcoin.gz2 /ppcoin.lzma2 /.ppcoin/ppcoin.conf2 /ppcoin.rar2 /ppcoin.tar2 /ppcoin.tar.bz2 /ppcoin.tar.bz22 /ppcoin.tar.gz2 /ppcoin.tar.lzma2 /ppcoin.tar.xz2 /ppcoin.tbz2 /ppcoin.tbz22 /ppcoin.tgz2 /ppcoin.txz2 /.ppcoin/wallet.dat2 /ppcoin.xz2 /ppcoin.zip2 /primecoin.7z2 /.primecoin/bitcoin.conf2 /primecoin.bkp2 /primecoin.bz22 /primecoin.conf2 /primecoin.dump2 /primecoin.gz2 /primecoin.lzma2 /.primecoin/primecoin.conf2 /primecoin.rar2 /primecoin.tar2 /primecoin.tar.bz2 /primecoin.tar.bz22 /primecoin.tar.gz2 /primecoin.tar.lzma2 /primecoin.tar.xz2 /primecoin.tbz2 /primecoin.tbz22 /primecoin.tgz2 /primecoin.txz2 /.primecoin/wallet.dat2 /primecoin.xz2 /primecoin.zip2 /terracoin.conf2 /.terracoin/wallet.dat2 /w.7z2 /wallet.7z2 /wallet.bkp2 /wallet.bz22 /_wallet.dat2 /wallet_dat2 /wallet.dat2 /wallet.dat_2 /wallet.dump2 /wallet.gz2 /wallet.lzma2 /wallet.old.7z2 /wallet.old.bz22 /wallet.old.dump2 /wallet.old.gz2 /wallet.old.lzma2 /wallet.old.rar2 /wallet.old.tar2 /wallet.old.tar.bz2 /wallet.old.tar.bz22 /wallet.old.tar.gz2 /wallet.old.tar.lzma2 /wallet.old.tar.xz2 /wallet.old.tbz2 /wallet.old.tbz22 /wallet.old.tgz2 /wallet.old.txz2 /wallet.old.xz2 /wallet.old.zip2 /wallet.rar2 /wallets.7z2 /wallets.bkp2 /wallets.bz22 /wallets.dump2 /wallets.gz2 /wallets.lzma2 /wallets.rar2 /wallets.tar2 /wallets.tar.bz2 /wallets.tar.bz22 /wallets.tar.gz2 /wallets.tar.lzma2 /wallets.tar.xz2 /wallets.tbz2 /wallets.tbz22 /wallets.tgz2 /wallets.txz2 /wallets/wallet.dat2 /wallets.xz2 /wallets.zip2 /wallet.tar2 /wallet.tar.bz2 /wallet.tar.bz22 /wallet.tar.gz2 /wallet.tar.lzma2 /wallet.tar.xz2 /wallet.tbz2 /wallet.tbz22 /wallet.tgz2 /wallet.txz2 /wallet/wallet.dat2 /wallet.xz2 /wallet.zip2 /w.bkp2 /w.bz22 /w.dat2 /w.dump2 /w.gz2 /w.lzma2 /w.rar2 /w.tar2 /w.tar.bz2 /w.tar.bz22 /w.tar.gz2 /w.tar.lzma2 /w.tar.xz2 /w.tbz2 /w.tbz22 /w.tgz2 /w.txz2 /w.xz2 /w.zip2 /cgminer.tgz3 /wallet.old.bkp3
Relational Events
At this point, it looks like this scan is attempting to find indicators of crypto currency use. The /checknfurl123 request also raises more questions. A quick look in my dashboard shows several events which share the /checknfurl123 request, dating back to June 3rd, 2014.An accompanying query seems to confirm that the events which occurred prior to the 16th of June all shared a matching request list.
The query for the requests from the events reveals a scan for various files, such as public and private keys, shell history files, and various others.
List of Requests
/checknfurl123 /id_rsa /id_dsa /rsa /dsa /key /key.priv /id_rsa.old /id_dsa.old /identity /authorized_keys /authorized_keys2 /known_hosts /id_rsa.pub /id_dsa.pub /.ssh/id_rsa /.ssh/id_dsa /.ssh/rsa /.ssh/dsa /.ssh/key /.ssh/priv /.ssh/id_rsa.old /.ssh/id_dsa.old /.ssh/identity /.ssh/authorized_keys /.ssh/authorized_keys2 /.ssh/known_hosts /.ssh/config /.ssh/id_rsa.pub /.ssh/id_dsa.pub /.ssh/id_rsa_2 /.ssh/id_rsa.2 /.ssh/id_dsa_2 /.ssh/id_dsa.2 /.ssh/id_ecdsa /.ssh/id_ecdsa.2 /.ssh/id_ecdsa_2 /.ssh/id_ecdsa_old /.ssh/id_ecdsa.old /id_ecdsa /id_ecdsa.2 /id_ecdsa_2 /id_ecdsa_old /id_ecdsa.old /config /.bash_history /.history /.sh_history
Behavior and Traits
Viewing the request in the dashboard gives us further insight into the rest of the request parameters. A quick Google Search for checknfurl123 reveals several people who have also noticed this checknfurl123 trend lately. Here are two examples for the /checknfurl123 URL, from the June 16th Crypto Currency campaign, and from the June 3rd Key Discovery Campaign.Each request is nearly an identical HTTP/1.1 HEAD method against port 80 for each subsequent URL in the list. The duplicate requests from June 3rd and 4th are explained by the HTTP Host header being enumerated, once as “localhost”, and then as the proper Honey Pots address. We then ceased to see activity for a week, but the first return on June 11th exhibits the first change in behavior, where we no longer see HTTP Host headers of “localhost”. When we next see the scanners return on June 16th, the second behavioral change is observed as the word list is switched from the Keys list, to the Crypto Currency list.
No comments:
Post a Comment