Full Report
Authored by Margit Hazenbroek At Fox-IT (part of NCC Group) identifying servers that host nefarious activities is a critical aspect of our threat intelligence. One approach involves looking for anomalies in responses of HTTP servers. Sometimes cybercriminals that host malicious servers employ tactics that involve mimicking the responses of legitimate software to evade detection. However, … Continue reading The Spelling Police: Searching for Malicious HTTP Servers by Identifying Typos in HTTP Responses →
Analysis Summary
# Tool/Technique: Spelling Police (HTTP Response Typo Fingerprinting)
## Overview
The "Spelling Police" is a threat intelligence technique used to identify malicious HTTP servers—such as Command and Control (C2) nodes—by detecting textual anomalies, typos, and syntax errors in HTTP response headers. It relies on the premise that while legitimate software adheres strictly to RFC guidelines, custom-built malicious tools or servers mimicking legitimate software often contain human errors (e.g., extra whitespaces or misspellings) that serve as unique fingerprints.
## Technical Details
- **Type:** Technique (Profiling & Fingerprinting)
- **Platform:** Agnostic (any HTTP-based server infrastructure)
- **Capabilities:** Large-scale scanning, anomaly detection via Levenshtein distance, and identification of non-RFC compliant infrastructure.
- **First Seen:** Concept popularized by Fox-IT/NCC Group; specific Cobalt Strike whitespace anomaly identified circa 2019.
## MITRE ATT&CK Mapping
- **[TA0042 - Resource Development]**
- **[T1583 - Acquire Infrastructure]**
- **[T1584 - Compromise Infrastructure]**
- **[TA0011 - Command and Control]**
- **[T1071.001 - Application Layer Protocol: Web Protocols]**
## Functionality
### Core Capabilities
- **Levenshtein Distance Analysis:** Measures the difference between a received HTTP header key/value and the expected standard RFC string to identify near-miss typos.
- **Whitespace Detection:** Identifies extraneous spaces in headers (e.g., `HTTP/1.1 200 OK ` vs the standard `HTTP/1.1 200 OK`).
- **Standard Deviation Filtering:** Distinguishes between widespread common misconfigurations and rare, specific typos indicative of custom malicious frameworks.
### Advanced Features
- **Mimicry Detection:** Identifies servers attempting to impersonate legitimate services (like Apache or nginx) that fail to replicate the header structure perfectly.
- **Bulk Scan Integration:** Compatible with public internet scan data (e.g., Censys, Shodan) to proactively map the global threat landscape.
## Indicators of Compromise
### Network Indicators
- **Cobalt Strike C2:** Historically identified by an extra whitespace in the `HTTP/1.1 200 OK ` status line.
- **Note:** The technique specifically looks for patterns in server responses rather than specific static IPs, as infrastructure is often ephemeral.
### Behavioral Indicators
- Non-standard HTTP response headers.
- Deviations from RFC 7231 semantics.
## Associated Threat Actors
- **Cobalt Strike users:** Various APT and ransomware groups.
- **General Cybercriminals:** Actors deploying custom C2 frameworks or improperly configured phishing landing pages.
## Detection Methods
- **Signature-based detection:** Creating SNORT or Suricata rules to flag specific known-bad header typos (e.g., searching for "Content-Lenght" instead of "Content-Length").
- **Behavioral detection:** Monitoring for unexpected HTTP response structures from external-facing assets or unknown internal IPs.
- **YARA Rules:** Can be used on captured network traffic (PCAPs) to find specific string anomalies in the HTTP stream.
## Mitigation Strategies
- **Prevention measures:** Ensure all legitimate web infrastructure is configured using standardized, updated software templates to avoid appearing "anomalous."
- **Hardening recommendations:** Use Web Application Firewalls (WAFs) to normalize outbound HTTP responses and strip non-RFC compliant headers.
- **Infrastructure Auditing:** Proactively scan organization-owned IP ranges using the same "Spelling Police" logic to identify shadow IT or compromised servers.
## Related Tools/Techniques
- **JARM Fingerprinting:** Active TLS server fingerprinting.
- **HTTP/2 Fingerprinting:** Identifying servers based on frame settings and window sizes.
- **Banner Grabbing:** Traditional service identification which this technique refines.