• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Free Trial
  • Contact us
  • Blog
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Products
    • Product
      • Cisco Umbrella Cloud Security Service
      • Cisco Umbrella Investigate
      • Product Packages
      • Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Interactive Intelligence
      • Cloud-Delivered Firewall
    •  
    • Webinar signup
  • Solutions
    • By Need
      • Protect Mobile Users
      • Fast Incident Response
      • Web Content Filtering
      • Shadow IT Discovery & App Blocking
      • Unified Threat Enforcement
      • Reduce Security Infections
      • Secure Direct Internet Access
      • Securing Remote and Roaming Users
    • By Network
      • Protect Guest Wi-Fi
      • SD-WAN Security
      • Off-Network Endpoint Security
    • By Industry
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
      • Our Customers
      • Customer Stories
    • Ransomware Defense for Dummies book
  • Why Us
    • Fast Reliable Cloud
      • Cloud Security Infrastructure
      • Cloud Network Status
      • Cloud Network Activity
      • Recursive DNS Services
      • Top Reasons to Trial
      • Getting Started
    • Unmatched Intelligence
      • Cyber Attack Prevention
      • Interactive Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco SD-WAN
    • Navigation-dropdown-promo-free-trial_102820
  • Resources
    • Content Library
      • Top Resources
      • Analyst Reports
      • Case Studies
      • Customer Videos
      • Datasheets
      • eBooks
      • Infographics
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Cisco Umbrella Blog
      • Latest Posts
      • Security Posts
      • Research Posts
      • Threats Posts
      • Product Posts
      • Spotlight
    • For Customers
      • Support
      • Customer Success Hub
      • Umbrella Deployment Hub
      • Customer Success Webinars
      • What’s New
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
      • Secure Access Service Edge (SASE)
    • Security Threats
      • Ransomware
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
    •  
    • 2020 Cybersecurity trends
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Become a partner
  • Free Trial Signup
  • Umbrella Login
  • Cloudlock Login
  • Contact Us
Threats

A Wretched Bin of Scum and Villainy

By Patrick Colford
Posted on April 14, 2017
Updated on March 3, 2020

Share

Facebook0Tweet0LinkedIn0

A Brief History of Pastes

For more than 25 years, people looking to share computer code and snippets of text have used pastebins, web applications designed to store text. Often chosen because they would preserve formatting, pastebins were also an attractive option for IRC enthusiasts who wanted to talk about problems they were having with their programs without flooding channels with irrelevant information. 14 years ago, Pastebin (pastebin.com) was created. Created to be a global repository for code review, the site has blossomed into one of the most popular sites on the net. As of this writing, Alexa’s global rank for it was 1,100.
Like so many other things on the internet however, Pastebin has been abused by malicious actors. Taking advantage of the anonymity and specificity that Pastebin prides itself on, malware authors and hacker groups use the site for a variety of purposes, including sharing stolen login credentials and credit card information, kits for compromised sites, and most recently to host malware samples and complete malware chains. The site’s status as a data dump is well known, so let’s look at some of its other uses.

How To Compromise Websites and Influence People

The vast majority of content on Pastebin is benign. Plenty of users share legitimate snippets of code on it, everything from router firmware to online shopping carts. Though there’s plenty of other content that has little to do with computing or computer code, most of what is on Pastebin are pieces of scripts or programs, shared with the intention of helping anyone who needs it. The shadier side of Pastebin is still interested in helping people, but it’s more interested in helping people abuse vulnerabilities and compromised websites.
Hacker groups will use Pastebin to share their defacing code. IndoXploit, a hacking group operating for at least a year, hosts a good deal of their scripts under the Pastebin user account named “Tu5 b0l3d”, presumably the same user on the IndoXploit forums and YouTube channel.

The Pastebin account of “Tu5 b0l3d”, a member of the INdoXploit team

Not all groups are so brazen, but the need to share is compelling all the same. Here, we see the PHP for a r57/c99 shell hidden behind an anonymous account:

c99 shell on Pastebin

c99 shells are for use by malicious actors when they’ve compromised a domain’s server. Acting as a backdoor, a c99 shell lets malicious users navigate the compromised domain, grants file and password access, and comes with a host of other tools.

c99 shell distributed on Pastebin

Umbrella Investigate graph for r57c99[.]com
 
As seen in the graph above, Pastebin’s views on individual pastes aren’t a great indicator of the malicious actor’s success or failure. Though anonymity is one of Pastebin’s key features, the ability to store multiple copies of the same code must also be seen as an advantage for malicious actors: if a URL proxy cuts off access to one instance of your malicious paste, you may have dozens more lying in wait.

Hidden in Plain Sight

Beyond offering compromising scripts and compromised accounts, Pastebin has recently become a vector for malware attacks itself. Malware authors are using the site to host obfuscated code samples, usually encoded in Base64 (https://pastebin.com/nxd1fahr), but we’ve also seen examples in binary (https://pastebin.com/h3YpJvwp) as well as hex (https://pastebin.com/3J4EvhtL). These obfuscated samples are called by compromised websites in order to complete the kill chain: When a user accesses the compromised site, the site quietly makes a request to specific Pastebin URLs which then execute. The victim doesn’t need a Pastebin login (or even to know what Pastebin is), and the pastes can be set to remove themselves after a given amount of time. The small URLs pastebins employ in order to make sharing easier adds another problem for security professionals by making Twitter a particularly effective medium for infection and propagation. Used to distribute commands and code, the social media platform becomes another tool bent towards malicious purposes.
Because of the website’s popularity and ease of use, tens of thousands of pastes are added per day. Administrators might be hesitant to block the domain because of its utility, but malicious actors have been abusing it for years. The earliest blogs about this technique are two years old, and similar services such as Github’s Gist or Ideone are just as vulnerable to the underlying problems. Any service in which anonymous users can host code indefinitely is going to be a double-edged sword, and one that security professionals must be mindful of allowing.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Cisco Umbrella Blog
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Cisco Umbrella

Learn more

  • Events
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2021 Cisco Umbrella