Friday, June 27, 2014

Broad Scanners Scanning Broad Scanners

Try saying that five times fast. Well, in sticking with the trend of last week’s post, today we’re going to analyze another broad scanner scanning for broad scanner victims! 

Incident Overview

Ah, a request for “//jmx-console/HtmlAdaptor”. At first glance, it’s evident this scanner is looking for JBoss installations which are typically found on port 8080, and specifically those that are susceptible to the CVE-2010-0738 vulnerability. This is not an uncommon scan, and there are several known bot nets which continue to fight for the remaining vulnerable host’s ownership. However, the reconnaissance scans for this vulnerability often involve a simple HTTP ‘GET’, or ‘HEAD’ request for ‘/’, which then utilizes the response JBoss version header to determine susceptibility. These reconnaissance scans also typically happen, randomly, against either port 80 or 8080, whereas this one statically utilizes port 8080. Also uncommon is the 7 following events. A quick query reveals what they are.

The first requested URI is the one we determined was a CVE-2010-0738 reconnaissance scan. The next request appears to be reconnaissance for a known Apache Tomcat vulnerability, CVE-2009-3843.

The next six requests are for web shells which are commonly placed on machines which have succumbed to one of the many Bot Nets which often thrive on each CVE. Each of these URIs also contains the “comment” parameter, which is the command to be evaluated by the compromised system, within the context of the underlying process, either Apache Tomcat or JBoss. You'll also notice the attempted command is the operating system indiscriminate 'whoami', which will return the username running the underlying process.

The 2nd URI, //manager/html/upload, is an atypical reconnaissance string for the CVE-2009-3843 vulnerability. Seeing as it’s the 2nd most commonly requested URI, right behind ‘/’ and right before ‘’.
Remember, that a request for '/' is the standard URI we expect to see, and is widley utilized for reconnaissance scans. With that in mind, and verifying with other heuristics, CVE-2009-3843 is the most scanned vulnerability the Honey Net has observed.

As noted, the difference between the common CVE-2009-3843 reconnaissance and this one is the addition of the ‘/upload’ string, which is a more direct path to verifying the vulnerabilities existence. Once again, the request is only observed against port 8080, whereas numerous other ports, including port 80, are commonly targeted.

The succeeding six requests are what especially stands out. Not only is this scanner looking for evidence of susceptibility to both CVE-2010-0738, and CVE-2009-3843, but it’s looking for prior compromises against the 2010-0738 JBoss exploit.

Historical Activity

As seen in the database query above, this scanner has scanned us on four separate occasions, June 18th, June 21st, June 23rd, and June 25th. But this is notably only within the context of the HoneyNet. It’s important to enumerate information however possible. In this case, simple Google searches for each of the Web Shells provides insight into this scanners past. Particularly, Project Honey Net has this entry dating all the way back to November 28th, 2013. 

We also find several Access Logs which have been graciously hosted by their admins.

Well, it’s evident this is nothing new. The first set of event logs which indicate the address was previously infected even contains the same User-Agent String from the currently scans. User-Agent strings are often very good identifiers for linking actors between events, especially such a verbose one like this.

This User-Agent may blend in well with normal activity, however its presence with an automated scanner sticks out like a sore thumb. From the Google search we were able to trace this URI Request Pattern, and the User-Agent to the host as far back as December 10th. The replication of this User-Agent heavily suggests it’s static to the specific scanner. The Google Chrome Release Calendar tells us this User-Agent was introduced as early as August 12th, 2013, which suggests the script was assembled at a point in time later than that date. There’s also the log indicating the host was infected and scanning from November 20th, through December 1st. There are numerous other logs found through simply Google searches which map this scanners activity even more thoroughly, but I'll leave that as an exercise to the reader.

Monkey See, Monkey Do

When dealing with broad scanning bot nets, there’s an important concept to remember. The vulnerability that this host is scanning you for, most often is the same it itself has succumbed to.

Running a quick request replay against the source host seems to verify that the source host is itself infected. It also suggests that our attacker is none the wiser to their own games. Remember, practice what you preach, especially if you’re going to randomly preach it to millions of random IPv4 addresses. Non-Intrusive Reconnaissance of the [previously] compromised hosts discovered by Google suggests they’ve been replaced and/or remediated since their involvement.

In Conclusion

It’s evident the attacker doesn’t fully understand what they’re exploiting. From the requests, it’s clear that the attacker is well capable of ascertaining the host’s susceptibility to either vulnerability within the first two requests. However, they then proceed to reveal their intent through the following six events. The attacker also doesn’t fully understand the behavior of their targeted botnets, which often scan more than just port 8080 which is statically chosen in these attacks.

Though the context of this campaign isn't yet known, it leaves significant forensic evidence behind to correlate its activity far into its origin. There's also significant evidence the attacker isn't cleaning up after themselves, suggesting more incriminating evidence has been left behind. The pattern introduced by the Request URIs is unique enough in itself, but the further correlation of such a verbose User-Agent helps to map the threat actor as they navigating from box to box. Furthermore, the centralized scanning suggests the attacker is not utilizing the ill-acquired hosts to directly replicate itself and expand in a Worm like fashion.

In closing, I’ll mention that I initially investigated this activity a few days ago. I attempted to contact the Web Server’s administrator (the Administrator of the FQDN currently points to the host address), and I of course am still waiting for their acknowledgement. Though, I suspect a language barrier may play a heavy role in this.

Tuesday, June 17, 2014

Public Key & Crypto Currency Wallet Broadscanning

First Impression

While browsing today’s reports of my Honey net, I noticed not one, but two abnormally large scans had occurred.

430 events is rather high for a simple HTTP scan, especially one which yields nothing in return to each request. The two count discrepancy is also curious. A quick query for the distinct field “REDIRECT_URL” shows two entries which each have a count just one higher than the rest.

wallet.old.bkp, and cgminer.tgz are both items most likely expected to be related to Crypto Currency. CGminer is a Crypto Currency Miner, and wallet.old.bkp appears to reference a Crypto Currency Wallet. CGMiner is often observed as a common payload in broad scanning attacks.

The Requests

A quick query for the rest of the requests gives us further insight into the intent.

List of Requests


Relational Events

At this point, it looks like this scan is attempting to find indicators of crypto currency use. The /checknfurl123 request also raises more questions. A quick look in my dashboard shows several events which share the /checknfurl123 request, dating back to June 3rd, 2014.

An accompanying query seems to confirm that the events which occurred prior to the 16th of June all shared a matching request list.

 The query for the requests from the events reveals a scan for various files, such as public and private keys, shell history files, and various others.

List of Requests


Behavior and Traits

Viewing the request in the dashboard gives us further insight into the rest of the request parameters. A quick Google Search for checknfurl123 reveals several people who have also noticed this checknfurl123 trend lately. Here are two examples for the /checknfurl123 URL, from the June 16th Crypto Currency campaign, and from the June 3rd Key Discovery Campaign.

Each request is nearly an identical HTTP/1.1 HEAD method against port 80 for each subsequent URL in the list. The duplicate requests from June 3rd and 4th are explained by the HTTP Host header being enumerated, once as “localhost”, and then as the proper Honey Pots address. We then ceased to see activity for a week, but the first return on June 11th exhibits the first change in behavior, where we no longer see HTTP Host headers of “localhost”. When we next see the scanners return on June 16th, the second behavioral change is observed as the word list is switched from the Keys list, to the Crypto Currency list.

My Opinion

With the prevalence of Crypto Currency Mining payloads accompanying many broad scanning attacks, this campaign is most likely targeting the work of other threat actors on already compromised machines. This could also be a crude form of attempting to identify vulnerable machines which have already been compromised, as the HEAD request would not return the contents of the file if it exists. The HEAD request method could also be a fingerprint of the scanning utility, such as Pnscan. Pnscan has been observed in use with several bot nets, where a HEAD request will be made, and based on the response a secondary script may be executed. The request for “/checknfurl123” most likely provides a baseline response, so a script would be able to determine the difference between a missing or fake file, and either proceed with file egression or continue on to the next attempt.

In Conclusion 

For (hopefully) most users, this particular scan may not pose much risk other than hundreds of extra security events to contend with. If you have any files hosted and accessible by any of the URLs listed in this blog, I suggest removing them immediately, and hosting them via a secure solution if necessary. If you have any of these files and you were previously unaware of them, it may be worth a dig to determine if your site has been otherwise compromised.