37.58.73.42 / 95.156.228.69 / 195.210.43.42, anyone?

Published: 2013-09-12
Last Updated: 2013-09-12 23:53:49 UTC
by Daniel Wesemann (Version: 1)
7 comment(s)

It started with a pretty benign question from an ISC reader. But if the corresponding SQL query times out on our sensors, something is probably indeed going on ... The IP addresses listed above have >30'000 domain names associated to them, all of the format as shown below

byqajg2lclo7221tdx511xf21594e06d2bb1166c296c16adf1cbfe1b [ dot ] bizgo.be
byqajg2lclo7221tdx511xf21594e06d2d442d2a296c5ee5188fa2c0 [ dot ] bizgo.be
byqajg2lclo7221tdx511xf21594e06d2df74c3c296c49dd3801615d [ dot ] bizgo.be
byqajg2lclo7221tdx511xf40934e06d2ce119772967b2379df2211a [ dot ] bizgo.be

bizgo is not the only domain used, there are many, but currently concentrated in *.be. The host names seem to be time-based, and are only valid for the briefest of instants. This makes manual analysis somewhat difficult - by the time you have grabbed a sample and are running it in the sandbox, well, the domain name no longer resolves. Consequently, only a handful of malware reports on VirusTotal and Malwr.com so far actually show a real detection, for example

https://malwr.com/analysis/NmQ5NmYwN2EyMTQzNDY3Zjk3MjY0MTRhOTQzMjE2Mjc/
https://malwr.com/analysis/NWFiMGYxY2E1MzVhNDkxOGIxNDAzNTQ4ODNkODU5ZjQ/

and both suggest that a Trojan Downloader is coming from this IP, but otherwise didn't get all that far with the analysis. For the traffic that a sensor of ours captured, the requested file path was /i/last/index.php, which matches Emerging Threat SID 2015475 for a Blackhole landing page.

If you have intel to share on these domains or IPs, please let us know via the contact form, or the comments below.

 

Keywords: malware
7 comment(s)

Comments

Some OSINT http://pastebin.com/6Ajv9B0K
Hope can be of some help
I have a few machines that were communicating to some off these IPs. Here is some traffic I was seeing:

GET /i/last/index.php?os)63HqT)=-5a.5d)8c_89-58&eBj(hMrns_=)5a_89.58.8a!5a(56)5d_56.58.8a&TYT7HY8-06L3xo8=(55&L)I(-dnrT=1dpBUj78X&zFxgn7nAeP=eUN3ky HTTP/1.1
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_24
Host: a32ig07fho2h11d2thb8fli71964e079a5183718c82f624556994a57.boeteam.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Cookie: myid=1378983923

GET /i/last/index.php?ajZ9o4Q=(HA(rZxAX&b-ER3Z=mQrVMkJ HTTP/1.1
accept-encoding: pack200-gzip, gzip
content-type: application/x-java-archive
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_24
Host: a32ig07fho2h11d2thb8fli71964e079a5183718c82f624556994a57.boeteam.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Cookie: myid=1378983923
itechpreneurs.com 37.58.73.40 - 37.58.73.47 SofLay-RIPE? A record points to datingbay.us
GC-SERVER.EU 95.156.228.0 - 95.156.228.127 routing 0/22 via interwerk.de (fails on b.barracudacentral.org RBL lookup)
Multiple AS --- AS196878 (95.156.192.0/18) and AS197071 (95.156.228.0/22) both descriptors: "Marcel Edler trading as Optimate-Server"
syntis.net 195.210.42.0 - 195.210.43.255 (resolves DNS hostname to nematis1.model-fx.com. )

Source: BGP announces
Oddly enough, WebSense gave the IP's and domain names a pass as either uncategorized or Information technology.
(time for a defense in depth demo in realtime?)
All of the root domain names used (mostly b*.be, but some others mixed in too) appear to use the same set of nameservers:
ns1.speedpacket[.]com
ns2.speedpacket[.]com

Compromised nameservers perhaps?

Looks like most of these are redirections from injected and obfuscated js embedded in legit but compromised sites. Looks like its static - or at least it doesn't care if I just wget the page with no special referer required.
Dig trace says:
from root to *.ns.dns.be
then ns*.speedpacket.be
to finally reach ns*.speedpacket.com
Bit of recursion going on there?? (151.236.32.0/19 and A records seem unrelated?)
92.48.64.0/18 is described as the same provider
Fresh info in Dynamoo's blog: http://blog.dynamoo.com/2013/09/speedpacket-cookiebomb-and-something.html

Diary Archives