New, in your face, malware attacks me: /Ringing.at.your.dorbell!

May 14, 2015
technology
security
stupidity

Once in a great while I see a novel piece of malware. Novel in the sense that it is particularly stupid in its behavior and tells us the author is an egotistical asshole.

This week it is malware written by someone who can’t resist announcing in big bold letters that they are up to no good. Specifically, the malware makes HTTP attacks with the first request being “GET /Ringing.at.your.dorbell! HTTP/1.0“. Yes, that’s “dorbell” not “doorbell”. That plus the odd grammar implies this is a non-native speaker of English. The user-agents I’ve seen are “x00_-gawa.sa.pilipinas.2015” and “CVE-2014-6271 ;)“.

As is typical for these morons the malware fails to include a Host header. Which isn’t mandatory for a HTTP/1.0 request but has been standard practice for a decade since it is necessary for virtual hosts to function properly. The absence of a host header is something I use to decide the request is from malware since no legitimate browser or web crawler written in the past decade would omit it.

Note that this is fundamentally a shellshock attack. You can read about how I block such attacks here.

Update 2015-05-19: I feel compelled to note that this particular malware may have more than one signature. The first couple of attacks looked a lot like typical shellshock attacks. For example, here are the HTTP headers from the first attack I logged (this is from the request that followed the GET /Ringing.at.your.dorbell! request):

Cache-Control: no-cache
Connection: close
Pragma: no-cache
Cookie: () { goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`
Referer: http://google.com/search?q=2+guys+1+horse
User-Agent: () { goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`
Test: () { goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`

That was my basis for asserting that this is fundamentally a shellshock attack. However, the next attack was not of the shellshock variety. For example, I then saw this in the HTTP headers in a request for URI /Diagnostics.asp:

Cookie: Greetz to M, st0n3d, Jorgee, CoLdZeRo, and Tomato lol!

That cookie was not in the original “Ringing.at.your.dorbell” shellshock attacks that caught my attention. So is the malware mutating or is someone else hijacking the signature of the original attack?

Update 2015-07-11: Prior to today I hadn’t seen an attack from this particular malware in nearly two months. Today I saw two attacks, both with the same pattern:

1) First request was “GET /Ringing.at.your.dorbell!“.
2) Second request was “GET /“.
3) Third request was “GET /Diagnostics.asp“.

The cookie this time was slightly different: “Cookie: Greetz to M, st0n3d, Jorgee, CoLdZeRo and justa“. Notice the replacement of “Tomato lol!” from the earlier attack with “justa“. As before there is no Host header and the referer value is “http://google.com/search?q=2+guys+1+horse“.

So it appears this malware is active again and that explains why I’ve seen a huge spike in the number of people reading this particular article recently.