A Brief History of Pastes

For more than 25 years, people looking to share computer code and snippets of text have used pastebins, web applications designed to store text. Often chosen because they would preserve formatting, pastebins were also an attractive option for IRC enthusiasts who wanted to talk about problems they were having with their programs without flooding channels with irrelevant information. 14 years ago, Pastebin (pastebin.com) was created. Created to be a global repository for code review, the site has blossomed into one of the most popular sites on the net. As of this writing, Alexa’s global rank for it was 1,100.

Like so many other things on the internet however, Pastebin has been abused by malicious actors. Taking advantage of the anonymity and specificity that Pastebin prides itself on, malware authors and hacker groups use the site for a variety of purposes, including sharing stolen login credentials and credit card information, kits for compromised sites, and most recently to host malware samples and complete malware chains. The site’s status as a data dump is well known, so let’s look at some of its other uses.

How To Compromise Websites and Influence People

The vast majority of content on Pastebin is benign. Plenty of users share legitimate snippets of code on it, everything from router firmware to online shopping carts. Though there’s plenty of other content that has little to do with computing or computer code, most of what is on Pastebin are pieces of scripts or programs, shared with the intention of helping anyone who needs it. The shadier side of Pastebin is still interested in helping people, but it’s more interested in helping people abuse vulnerabilities and compromised websites.

Hacker groups will use Pastebin to share their defacing code. IndoXploit, a hacking group operating for at least a year, hosts a good deal of their scripts under the Pastebin user account named “Tu5 b0l3d”, presumably the same user on the IndoXploit forums and YouTube channel.

The Pastebin account of “Tu5 b0l3d”, a member of the INdoXploit team

Not all groups are so brazen, but the need to share is compelling all the same. Here, we see the PHP for a r57/c99 shell hidden behind an anonymous account:

c99 shell on Pastebin

c99 shells are for use by malicious actors when they’ve compromised a domain’s server. Acting as a backdoor, a c99 shell lets malicious users navigate the compromised domain, grants file and password access, and comes with a host of other tools.

c99 shell distributed on Pastebin

Umbrella Investigate graph for r57c99[.]com

As seen in the graph above, Pastebin’s views on individual pastes aren’t a great indicator of the malicious actor’s success or failure. Though anonymity is one of Pastebin’s key features, the ability to store multiple copies of the same code must also be seen as an advantage for malicious actors: if a URL proxy cuts off access to one instance of your malicious paste, you may have dozens more lying in wait.

Hidden in Plain Sight

Beyond offering compromising scripts and compromised accounts, Pastebin has recently become a vector for malware attacks itself. Malware authors are using the site to host obfuscated code samples, usually encoded in Base64 (https://pastebin.com/nxd1fahr), but we’ve also seen examples in binary (https://pastebin.com/h3YpJvwp) as well as hex (https://pastebin.com/3J4EvhtL). These obfuscated samples are called by compromised websites in order to complete the kill chain: When a user accesses the compromised site, the site quietly makes a request to specific Pastebin URLs which then execute. The victim doesn’t need a Pastebin login (or even to know what Pastebin is), and the pastes can be set to remove themselves after a given amount of time. The small URLs pastebins employ in order to make sharing easier adds another problem for security professionals by making Twitter a particularly effective medium for infection and propagation. Used to distribute commands and code, the social media platform becomes another tool bent towards malicious purposes.

Because of the website’s popularity and ease of use, tens of thousands of pastes are added per day. Administrators might be hesitant to block the domain because of its utility, but malicious actors have been abusing it for years. The earliest blogs about this technique are two years old, and similar services such as Github’s Gist or Ideone are just as vulnerable to the underlying problems. Any service in which anonymous users can host code indefinitely is going to be a double-edged sword, and one that security professionals must be mindful of allowing.

This post is categorized in: