New, in your face, malware attacks me: /Ringing.at.your.dorbell!

Once in a great while I see a novel piece of malware. Novel in the sense that it is particularly stupid in its behavior and tells us the author is an egotistical asshole.

This week it is malware written by someone who can’t resist announcing in big bold letters that they are up to no good. Specifically, the malware makes HTTP attacks with the first request being “GET /Ringing.at.your.dorbell! HTTP/1.0“. Yes, that’s “dorbell” not “doorbell”. That plus the odd grammar implies this is a non-native speaker of English. The user-agents I’ve seen are “x00_-gawa.sa.pilipinas.2015” and “CVE-2014-6271 ;)“.

As is typical for these morons the malware fails to include a Host header. Which isn’t mandatory for a HTTP/1.0 request but has been standard practice for a decade since it is necessary for virtual hosts to function properly. The absence of a host header is something I use to decide the request is from malware since no legitimate browser or web crawler written in the past decade would omit it.

Note that this is fundamentally a shellshock attack. You can read about how I block such attacks here.

Update 2015-05-19: I feel compelled to note that this particular malware may have more than one signature. The first couple of attacks looked a lot like typical shellshock attacks. For example, here are the HTTP headers from the first attack I logged (this is from the request that followed the GET /Ringing.at.your.dorbell! request):

Cache-Control: no-cache
Connection: close
Pragma: no-cache
Cookie: () { goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`
Referer: http://google.com/search?q=2+guys+1+horse
User-Agent: () { goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`
Test: () { goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`

That was my basis for asserting that this is fundamentally a shellshock attack. However, the next attack was not of the shellshock variety. For example, I then saw this in the HTTP headers in a request for URI /Diagnostics.asp:

Cookie: Greetz to M, st0n3d, Jorgee, CoLdZeRo, and Tomato lol!

That cookie was not in the original “Ringing.at.your.dorbell” shellshock attacks that caught my attention. So is the malware mutating or is someone else hijacking the signature of the original attack?

Update 2015-07-11: Prior to today I hadn’t seen an attack from this particular malware in nearly two months. Today I saw two attacks, both with the same pattern:

1) First request was “GET /Ringing.at.your.dorbell!“.
2) Second request was “GET /“.
3) Third request was “GET /Diagnostics.asp“.

The cookie this time was slightly different: “Cookie: Greetz to M, st0n3d, Jorgee, CoLdZeRo and justa“. Notice the replacement of “Tomato lol!” from the earlier attack with “justa“. As before there is no Host header and the referer value is “http://google.com/search?q=2+guys+1+horse“.

So it appears this malware is active again and that explains why I’ve seen a huge spike in the number of people reading this particular article recently.

Published by

Kurtis Rader

I'm first and foremost a Secular Humanist and Atheist. To pay the bills I'm a software engineer. When not working I walk or play with my dogs, read lots of non-fiction (and some fiction), and watch lots of movies.

21 thoughts on “New, in your face, malware attacks me: /Ringing.at.your.dorbell!”

  1. This tripped our IDS today, but I think you’ll find the Referer and other stuff in the header is fake, as this came from a compromised server, owned by Net Rubi do Brasil:
    177.70.209.24 – – [14/Jul/2015:09:12:55 +1000] “GET /Ringing.at.your.dorbell! HTTP/1.0” 404 222
    177.70.209.24 – – [14/Jul/2015:09:12:55 +1000] “GET /Ringing.at.your.dorbell! HTTP/1.0” 404 222 “http://google.com/search?q=2+guys+1+horse” “x00_-gawa.sa.pilipinas.2015”
    177.70.209.24 – – [14/Jul/2015:09:12:56 +1000] “GET / HTTP/1.0” 200 10201
    177.70.209.24 – – [14/Jul/2015:09:12:56 +1000] “GET / HTTP/1.0” 200 10201 “-” “x00_-gawa.sa.pilipinas.2015”
    177.70.209.24 – – [14/Jul/2015:09:12:57 +1000] “GET / HTTP/1.1” 200 10201
    177.70.209.24 – – [14/Jul/2015:09:12:57 +1000] “GET / HTTP/1.1” 200 10201 “http://google.com/search?q=2+guys+1+horse” “x00_-gawa.sa.pilipinas.2015”
    177.70.209.24 – – [14/Jul/2015:09:12:58 +1000] “GET /Diagnostics.asp HTTP/1.0” 404 213
    177.70.209.24 – – [14/Jul/2015:09:12:58 +1000] “GET /Diagnostics.asp HTTP/1.0” 404 213 “-” “x00_-gawa.sa.pilipinas.2015”
    177.70.209.24 – – [14/Jul/2015:09:12:59 +1000] “GET / HTTP/1.0” 200 10201
    177.70.209.24 – – [14/Jul/2015:09:12:59 +1000] “GET / HTTP/1.0” 200 10201 “-” “x00_-gawa.sa.pilipinas.2015”
    177.70.209.24 – – [14/Jul/2015:09:13:00 +1000] “GET / HTTP/1.0” 200 10201
    177.70.209.24 – – [14/Jul/2015:09:13:00 +1000] “GET / HTTP/1.0” 200 10201 “-” “x00_-gawa.sa.pilipinas.2015”
    177.70.209.24 – – [14/Jul/2015:09:13:01 +1000] “GET / HTTP/1.0” 200 10201
    177.70.209.24 – – [14/Jul/2015:09:13:01 +1000] “GET / HTTP/1.0” 200 10201 “-” “x00_-gawa.sa.pilipinas.2015”

    1. Any header provided by the remote system is always suspect. Nonetheless, they sometimes provide useful insights. They can sometimes also safely be used to decide if a given request represents an attack; e.g., the user agent used by this malware appears to be a sufficiently unique signature to be used in deciding if a request should be rejected.

  2. Catched here on cod3r [dot] net too.
    The idiots forgot to remove User-Agent from some of their tools, e.g.
    However, i detected RingYourBell requests from several quite different IP’s, maybe they used botnet for scanning ?
    However, contact me if you guys find anything new on this topic, thanks !

  3. I got this punk ringing my dorbell (sic) as well.
    It came from these networks during the past few days …

    191.243.29. – Brazil – Pimentel & Costa Ltda – Me –
    64.184.176. – olympicwi-fi.com – United States – Northwest Open Access Network –
    101.51.112. – totbb.net – Thailand – TOT Public Company Limited –
    119.93.245. – Philippines – Philippine Long Distance Telephone Co. –
    186.119.11. – Colombia – Colombia Telecomunicaciones S.a. Esp –
    200.23.230. – Brazil – Tek Turbo Provedor De Internet Ltda –
    202.160.164. – d2visp.com – India – D2v-ril –

  4. Sorry, basic question, but where on my .htaccess file should I add that? I add it at the end, beginning, middle, but it gives me a 500 error. Thank you!

    1. sorry, I was supposed to post this comment in your “Configuring Apache to reject Shellshock attacks” post =)

    2. I don’t understand your question since this article and none of the comments reference a .htaccess file. Did you mean to comment on a related article such as the one where I describe how to block shellshock attacks? Regardless, the answer is highly dependent on your web server configuration. Also keep in mind in my examples I typically show a rewrite rule to my custom “/blocked.php” path that is a PHP file that provides a useful error page while also setting the HTTP status to 400. You’ll either need an equivalent PHP module (I’m happy to email you mine) or substitute that rewriterule with something appropriate for your situation. If you send me an email (krader (at) skepticism.us) with details about your configuration I’m willing to try to provide better advice.

  5. When I saw this entry in my apache error.log I get it banned by fail2ban after two entries the ip is blocked for several hours.

  6. Hi, nice article!

    I’m curious how you got the information from your update 2015-05-19 in this article, the part about cookie ,header and so on. On my Apache I only use standard “common” for access log, so I didn’t find that information. Would very much like to find that information for obvious reasons!

    How did you manage to get access to that information?

    1. My server gets very little traffic (most days average less than 100 hits not counting crawlers) so I pay the overhead to log all the incoming traffic with these httpd.conf directives:

      LoadModule dumpio_module libexec/apache2/mod_dumpio.so
      
      <ifmodule dumpio_module>
      DumpIOInput On
      DumpIOOutput Off
      LogLevel dumpio:trace7
      </ifmodule>
      
      ErrorLog "|/usr/sbin/rotatelogs -c -f -l -L /private/var/log/apache2/error.log /private/var/log/apache2/error.log.%Y-%m-%d 86400"
      

      I also have a CustomLog format that includes a little more information and timestamps that are easier to process:

      LogFormat "%{%Y-%m-%dT%H:%M:%S}t %{sec}t.%{usec_frac}t %>s %{error-notes}e %D %B %h %{Host}i \"%r\" \"%{User-Agent}i\"" krader_custom
      

Comments are closed.