Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free! part II

Published: 2007-11-09
Last Updated: 2007-11-11 01:57:16 UTC
by Mark Hofman (Version: 2)
0 comment(s)


The list of infected device is still growing we're now at 66K links in Google for the scripts, will it get to the 200K plus numbers we saw with the Super Bowl? has now been confirmed as containing malicious content, and you can add to the list which also belongs to the same group. 

From the whois records it looks like the domain is refreshed daily, which tends to indicate that they are not paying for it, but are using a registrar where you can start using the domain immediately, but pay later.  In this case the pay later part is probably not happening.  If I were the registrar I might get miffed with people registering the same domain on a daily basis and never pay, but then that's me.   

If you like IP numbers then today the IPs to block for your web users are &

Nov 9

As handlers we tend to have a tiny stubborn streak, no really, we are, just ask our respective partners, they’ll confirm it.   So in the fine tradition of "I wonder what else is going on" I dug a little bit further. 

The more I looked the more familiar it seemed.  Remember the Super Bowl infection back in February?  Mass defacement, using SQL Injection, downloading a file (although almost everything does that nowadays),  script is #.js, etc.   It all sounded a bit the same.  So was there a link?

Seems there might be at that.   There are various sites that will let you have a look and see what other sites are or were hosted on a particular IP address.  The address that points at shows that other web sites hosted on the same server as are:

  • ·
  • ·
  • ·

A quick google will show you that  and  were used in the Super Bowl defacements.  The warcraft site might be legit, but so far it is three against one on the server. 

When you look at the title of the site you will find a reference to the domain (remember ANI?)

Following the yellow brick road on  you end up adding to the counter hosted in the domain, strangely familiar from both the Super Bowl and ANI issues earlier this year.    So it would seem that there may be a link.

The good news so far is that the executable being downloaded seems to be detected by most AV products.  The sad news is that when I checked the other day the number of infected sites was about 30K and now about 52K sites.

If you use URL blockers in your organisation, then you may want to block the four domains and your users will be protected for at least the next little while.


Mark  H - Shearwater

0 comment(s)

Search engines that are no search engines

Published: 2007-11-09
Last Updated: 2007-11-09 15:53:19 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
The DShield database was running a bit "hot" earlier today, so I took a closer look at the web log and found that one particular "search engine" was indexing the site rather aggressively:

a.b.c.d - - [09/Nov/2007:15:24:35 +0000] "GET /portreportascii.html?date=2007-11-09 HTTP/1.0" 200 500572 "-" "gsa-crawler (Enterprise; S5-FTNF3BWZPUJAS;" "-"

At first, I thought "oh well, its google". But looking at the user agent string closer, reveals some subtle differences. This is a Google search appliance, not the uber-google-bot we all love. The regular Google bot looks like this: - - [09/Nov/2007:15:24:37 +0000] "GET /date.html?port=47109&date=2007-10-25 HTTP/1.1" 200 7538 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +" "-"

I have seen similar cases a few times now. While this one was not malicious, in some cases attacks used google's (or other search engine) user agent strings. I can only assume that this is an attempt to fit in better, and maybe retrieve a search engine version of the page. If anybody knows a good reference where to find IP address ranges used by certain search engines: let us know.

(and btw... if you need bulk data access to dshield data: Please ask. Spidering the site is just not very efficient and you will run into some anti-harvesting traps sending you in circles)

Johannes B. Ullrich
Chief Research Officer, SANS Technology Institute

0 comment(s)
Diary Archives