37.58.73.42 / 95.156.228.69 / 195.210.43.42, anyone?

Published: 2013-09-12
Last Updated: 2013-09-12 23:53:49 UTC
by Daniel Wesemann (Version: 1)
7 comment(s)

It started with a pretty benign question from an ISC reader. But if the corresponding SQL query times out on our sensors, something is probably indeed going on ... The IP addresses listed above have >30'000 domain names associated to them, all of the format as shown below

byqajg2lclo7221tdx511xf21594e06d2bb1166c296c16adf1cbfe1b [ dot ] bizgo.be
byqajg2lclo7221tdx511xf21594e06d2d442d2a296c5ee5188fa2c0 [ dot ] bizgo.be
byqajg2lclo7221tdx511xf21594e06d2df74c3c296c49dd3801615d [ dot ] bizgo.be
byqajg2lclo7221tdx511xf40934e06d2ce119772967b2379df2211a [ dot ] bizgo.be

bizgo is not the only domain used, there are many, but currently concentrated in *.be. The host names seem to be time-based, and are only valid for the briefest of instants. This makes manual analysis somewhat difficult - by the time you have grabbed a sample and are running it in the sandbox, well, the domain name no longer resolves. Consequently, only a handful of malware reports on VirusTotal and Malwr.com so far actually show a real detection, for example

https://malwr.com/analysis/NmQ5NmYwN2EyMTQzNDY3Zjk3MjY0MTRhOTQzMjE2Mjc/
https://malwr.com/analysis/NWFiMGYxY2E1MzVhNDkxOGIxNDAzNTQ4ODNkODU5ZjQ/

and both suggest that a Trojan Downloader is coming from this IP, but otherwise didn't get all that far with the analysis. For the traffic that a sensor of ours captured, the requested file path was /i/last/index.php, which matches Emerging Threat SID 2015475 for a Blackhole landing page.

If you have intel to share on these domains or IPs, please let us know via the contact form, or the comments below.

 

Keywords: malware
7 comment(s)
ISC StormCast for Thursday, September 12th 2013 http://isc.sans.edu/podcastdetail.html?id=3533

Comments


Diary Archives