• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
    • Get the 2022 Cloud Scurity Comparison Guide
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
      • Cyber Threat Categories and Definitions
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Threats

A Wretched Bin of Scum and Villainy

By Patrick Colford
Posted on April 14, 2017
Updated on March 3, 2020

Share

FacebookTweetLinkedIn

A Brief History of Pastes

For more than 25 years, people looking to share computer code and snippets of text have used pastebins, web applications designed to store text. Often chosen because they would preserve formatting, pastebins were also an attractive option for IRC enthusiasts who wanted to talk about problems they were having with their programs without flooding channels with irrelevant information. 14 years ago, Pastebin (pastebin.com) was created. Created to be a global repository for code review, the site has blossomed into one of the most popular sites on the net. As of this writing, Alexa’s global rank for it was 1,100.
Like so many other things on the internet however, Pastebin has been abused by malicious actors. Taking advantage of the anonymity and specificity that Pastebin prides itself on, malware authors and hacker groups use the site for a variety of purposes, including sharing stolen login credentials and credit card information, kits for compromised sites, and most recently to host malware samples and complete malware chains. The site’s status as a data dump is well known, so let’s look at some of its other uses.

How To Compromise Websites and Influence People

The vast majority of content on Pastebin is benign. Plenty of users share legitimate snippets of code on it, everything from router firmware to online shopping carts. Though there’s plenty of other content that has little to do with computing or computer code, most of what is on Pastebin are pieces of scripts or programs, shared with the intention of helping anyone who needs it. The shadier side of Pastebin is still interested in helping people, but it’s more interested in helping people abuse vulnerabilities and compromised websites.
Hacker groups will use Pastebin to share their defacing code. IndoXploit, a hacking group operating for at least a year, hosts a good deal of their scripts under the Pastebin user account named “Tu5 b0l3d”, presumably the same user on the IndoXploit forums and YouTube channel.

The Pastebin account of “Tu5 b0l3d”, a member of the INdoXploit team

Not all groups are so brazen, but the need to share is compelling all the same. Here, we see the PHP for a r57/c99 shell hidden behind an anonymous account:

c99 shell on Pastebin

c99 shells are for use by malicious actors when they’ve compromised a domain’s server. Acting as a backdoor, a c99 shell lets malicious users navigate the compromised domain, grants file and password access, and comes with a host of other tools.

c99 shell distributed on Pastebin

Umbrella Investigate graph for r57c99[.]com
 
As seen in the graph above, Pastebin’s views on individual pastes aren’t a great indicator of the malicious actor’s success or failure. Though anonymity is one of Pastebin’s key features, the ability to store multiple copies of the same code must also be seen as an advantage for malicious actors: if a URL proxy cuts off access to one instance of your malicious paste, you may have dozens more lying in wait.

Hidden in Plain Sight

Beyond offering compromising scripts and compromised accounts, Pastebin has recently become a vector for malware attacks itself. Malware authors are using the site to host obfuscated code samples, usually encoded in Base64 (https://pastebin.com/nxd1fahr), but we’ve also seen examples in binary (https://pastebin.com/h3YpJvwp) as well as hex (https://pastebin.com/3J4EvhtL). These obfuscated samples are called by compromised websites in order to complete the kill chain: When a user accesses the compromised site, the site quietly makes a request to specific Pastebin URLs which then execute. The victim doesn’t need a Pastebin login (or even to know what Pastebin is), and the pastes can be set to remove themselves after a given amount of time. The small URLs pastebins employ in order to make sharing easier adds another problem for security professionals by making Twitter a particularly effective medium for infection and propagation. Used to distribute commands and code, the social media platform becomes another tool bent towards malicious purposes.
Because of the website’s popularity and ease of use, tens of thousands of pastes are added per day. Administrators might be hesitant to block the domain because of its utility, but malicious actors have been abusing it for years. The earliest blogs about this technique are two years old, and similar services such as Github’s Gist or Ideone are just as vulnerable to the underlying problems. Any service in which anonymous users can host code indefinitely is going to be a double-edged sword, and one that security professionals must be mindful of allowing.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella