ISC StormCast for Monday, July 27th 2015 http://isc.sans.edu/podcastdetail.html?id=4585

Angler's best friends

Published: 2015-07-27. Last Updated: 2015-07-27 01:20:36 UTC
by Daniel Wesemann (Version: 1)
3 comment(s)

Nope, not the kind of angler whose best friends are rubber boots, strings tied into "flies", or a tape measure that starts with "5inches" where others have a zero. This is about the "Angler Exploit Kit", which currently makes rampant use of the recent Adobe Flash "zero-days" to exploit the computers of unsuspecting users, and to push Cryptowall 3.0 on to them. Fellow ISC Handler Brad has covered before how this works.

Looking though our quite exhaustive (but likely nowhere near complete) list of IP addresses that were seen hosting Angler EK over the past 30 days or so, it is obvious that the crooks behind this exploit kit have a pretty savvy operation going on. First of all, they seem to "test the waters" at a new hosting provider, probably to see how quickly they get evicted. If no or slow action is forthcoming, the same provider will likely become the "main" Angler hoster a couple of days down the road. Obviously, this is bound to create some ruckus and lead to some complaints with said provider, but by the time the provider gets around to investigating, the bad guys usually have hopped one house down the road.

Amazingly, they seem to get away with this - staying at the same provider, but just switching to another IP address. With most providers these days touting the features of their "Cloud", including the ability to "spin up your image in any of our 20 data centers around the globe within a matter of seconds", this isn't really surprising. But it sure is highly unwelcome from a malware fighting point of view.  We used to hate the "fast flux" domain name switcheroo, but now increasingly we're getting "fast instance", where the exploit hosting site itself moves every hour or two.

The statistics from this month also look like it takes the average hoster/provider about a week to "catch on" that the bad guys are simply moving onto the adjacent vacant lot, and to start evicting them for good. Though even this is hard to tell from the data - it could well also be that the providers never really caught on, and the bad guys just moved on their own to a new neighbourhood, for opsec reasons.

Without further ado, here's an excerpt from the list of Angler hosting sites that we've observed recently.

July 1	148.251.167.57		Hetzner Online AG, Germany
July 1  148.251.167.107		Hetzner Online AG, Germany
July 8  176.9.245.141		Hetzner Online AG, Germany
July 9  176.9.245.140		Hetzner Online AG, Germany
July 10 176.9.245.142		Hetzner Online AG, Germany
July 12 176.9.245.142		Hetzner Online AG, Germany
July 14	206.190.134.189		Westhost Salt Lake City, USA
July 15 185.48.58.51		Sinarohost, Netherlands
July 16 206.190.134.188		Westhost Salt Lake City, USA
July 16 206.190.134.190		Westhost Salt Lake City, USA
July 17 69.162.90.107		Limestone Networks, Dallas, USA
July 19 69.162.64.156		Limestone Networks, Dallas, USA
July 20 69.162.116.123		Limestone Networks, Dallas, USA
July 20 185.43.223.165		Wibo/Hostlife, Netherlands and Czech Republic
July 21 69.162.116.125		Limestone Networks, Dallas, USA
July 23 216.245.213.141		Limestone Networks, USA and Ntherlands	
July 23 69.162.86.36		Limestone Networks, Dallas, USA
July 23 69.162.64.158		Limestone Networks, Dallas, USA
July 24	216.245.213.138		Limestone Networks, USA and Ntherlands	
July 24 185.43.223.164		Wibo/Hostlife, Netherlands and Czech Republic
July 25 185.43.223.162		Wibo/Hostlife, Netherlands and Czech Republic

Now, of course, I'm not insinuating that this misuse occurs with the tacit or implicit approval of the providers, likely, they are just being taken for a ride, but if you are such a provider, and you receive a complaint about one of your IPs hosting Angler EK, how about:

- checking ALL your IPs, not just the one that was reported, and keep checking over the next week or two
- correlating the data used to purchase these IPs, and proactively suspend, or at least activate a full packet trace, on all others that match similar info?

Icing on the cake would be if you as the provider could spend some brain cycles to translate the awesome Emerging Threat signatures from matching on client traffic to matching on server traffic (no big deal, primarily, you just need to flip $HOME_NET and $EXTERNAL_NET, and maybe adjust the "from_server" flow direction, depending on the rule match) and then apply these onto your inbound stream. You know, 20+ days after a signature became available for the current Angler EK landing page traffic .. one would think that you, as a professional web hoster, had some way to detect such traffic into your datacenters, and that it would take you less than a week to put a lid on it?

Also, it would help a lot if all you hosters could submit ALL your intelligence on this incident to Law Enforcement. Eventually (like, 3 years down the road...), the law will catch up with the perps, and decent evidence is what makes a conviction stick. I also suspect that it would work wonders if Law Enforcement could stop by for a chat with the CEOs of the hosters who seem to be having a hard time keeping the Angler from fishing in their waters, and offer suitable assistance. Most of these hosters are in cut-throat competition, and any revenue seems to be good revenue, but a little visit from the Feds might help to put things into perspective.

 

3 comment(s)

Comments


Diary Archives