37.58.73.42 / 95.156.228.69 / 195.210.43.42, anyone?
It started with a pretty benign question from an ISC reader. But if the corresponding SQL query times out on our sensors, something is probably indeed going on ... The IP addresses listed above have >30'000 domain names associated to them, all of the format as shown below
byqajg2lclo7221tdx511xf21594e06d2bb1166c296c16adf1cbfe1b [ dot ] bizgo.be
byqajg2lclo7221tdx511xf21594e06d2d442d2a296c5ee5188fa2c0 [ dot ] bizgo.be
byqajg2lclo7221tdx511xf21594e06d2df74c3c296c49dd3801615d [ dot ] bizgo.be
byqajg2lclo7221tdx511xf40934e06d2ce119772967b2379df2211a [ dot ] bizgo.be
bizgo is not the only domain used, there are many, but currently concentrated in *.be. The host names seem to be time-based, and are only valid for the briefest of instants. This makes manual analysis somewhat difficult - by the time you have grabbed a sample and are running it in the sandbox, well, the domain name no longer resolves. Consequently, only a handful of malware reports on VirusTotal and Malwr.com so far actually show a real detection, for example
https://malwr.com/analysis/NmQ5NmYwN2EyMTQzNDY3Zjk3MjY0MTRhOTQzMjE2Mjc/
https://malwr.com/analysis/NWFiMGYxY2E1MzVhNDkxOGIxNDAzNTQ4ODNkODU5ZjQ/
and both suggest that a Trojan Downloader is coming from this IP, but otherwise didn't get all that far with the analysis. For the traffic that a sensor of ours captured, the requested file path was /i/last/index.php, which matches Emerging Threat SID 2015475 for a Blackhole landing page.
If you have intel to share on these domains or IPs, please let us know via the contact form, or the comments below.
Comments
Hope can be of some help
Anonymous
Sep 12th 2013
1 decade ago
GET /i/last/index.php?os)63HqT)=-5a.5d)8c_89-58&eBj(hMrns_=)5a_89.58.8a!5a(56)5d_56.58.8a&TYT7HY8-06L3xo8=(55&L)I(-dnrT=1dpBUj78X&zFxgn7nAeP=eUN3ky HTTP/1.1
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_24
Host: a32ig07fho2h11d2thb8fli71964e079a5183718c82f624556994a57.boeteam.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Cookie: myid=1378983923
GET /i/last/index.php?ajZ9o4Q=(HA(rZxAX&b-ER3Z=mQrVMkJ HTTP/1.1
accept-encoding: pack200-gzip, gzip
content-type: application/x-java-archive
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_24
Host: a32ig07fho2h11d2thb8fli71964e079a5183718c82f624556994a57.boeteam.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Cookie: myid=1378983923
Anonymous
Sep 12th 2013
1 decade ago
GC-SERVER.EU 95.156.228.0 - 95.156.228.127 routing 0/22 via interwerk.de (fails on b.barracudacentral.org RBL lookup)
Multiple AS --- AS196878 (95.156.192.0/18) and AS197071 (95.156.228.0/22) both descriptors: "Marcel Edler trading as Optimate-Server"
syntis.net 195.210.42.0 - 195.210.43.255 (resolves DNS hostname to nematis1.model-fx.com. )
Source: BGP announces
Anonymous
Sep 12th 2013
1 decade ago
(time for a defense in depth demo in realtime?)
Anonymous
Sep 12th 2013
1 decade ago
ns1.speedpacket[.]com
ns2.speedpacket[.]com
Compromised nameservers perhaps?
Looks like most of these are redirections from injected and obfuscated js embedded in legit but compromised sites. Looks like its static - or at least it doesn't care if I just wget the page with no special referer required.
Anonymous
Sep 12th 2013
1 decade ago
from root to *.ns.dns.be
then ns*.speedpacket.be
to finally reach ns*.speedpacket.com
Bit of recursion going on there?? (151.236.32.0/19 and A records seem unrelated?)
92.48.64.0/18 is described as the same provider
Anonymous
Sep 13th 2013
1 decade ago
Anonymous
Sep 18th 2013
1 decade ago