My next class:

Suspicious IP Addresses Avoided by Malware Samples

Published: 2023-07-26. Last Updated: 2023-07-26 05:49:03 UTC
by Xavier Mertens (Version: 1)
3 comment(s)

Modern malware samples implement a lot of anti-debugging and anti-analysis techniques. The idea is to slow down the malware analyst's job or, more simply, to bypass security solutions like sandboxes. These days, I see more and more malware samples written in Python that have these built-in capabilities. One of them is the detection of “suspicious” IP addresses.

The last one I found has the SHA256 9d4d651095f9e03a0321def2dc47252ed22334664218f3df9e2f3dbbf99cdc1b with a VT score of 8/57[1].

Here is a common code snippet:

def check_ip():
    blacklisted = { ... }
    while True:
        try:
            ip = urllib.request.urlopen('https://checkip.amazonaws.com').read().decode().strip()
            if ip in blacklisted:
                exit_program('Blacklisted IP Detected')
            return
        except:
            pass

The malware will query the public IP address of the host where it is running and, if it is present on the “blacklisted” list, it will exit… But what are these IP addresses? I had a look at them and here is the list:

IP Address

PTR Record

AS Name

AS Country

Attacks (ISC)

Count (ISC)

20[.]99[.]160[.]173

NXDOMAIN

MICROSOFT-CORP-MSN-AS-BLOCK

US

0

0

23[.]128[.]248[.]46

tor-exit46[.]stormycloud[.]org

DATAIDEAS-LLC

US

0

0

34[.]105[.]0[.]27

27[.]0[.]105[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

US

0

0

34[.]105[.]183[.]68

68[.]183[.]105[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

US

21

32

34[.]105[.]72[.]241

241[.]72[.]105[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

US

0

0

34[.]138[.]96[.]23

23[.]96[.]138[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

US

0

0

34[.]141[.]146[.]114

114[.]146[.]141[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

US

19

28

34[.]141[.]245[.]25

25[.]245[.]141[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

US

35

51

34[.]142[.]74[.]220

220[.]74[.]142[.]34[.]bc[.]googleusercontent[.]com

GOOGLE

US

0

0

34[.]145[.]195[.]58

58[.]195[.]145[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

US

0

0

34[.]145[.]89[.]174

174[.]89[.]145[.]34[.]bc[.]googleusercontent[.]com

GOOGLE

US

0

0

34[.]253[.]248[.]228

ec2-34-253-248-228[.]eu-west-1[.]compute[.]amazonaws[.]com

AMAZON-02

US

0

0

34[.]83[.]46[.]130

130[.]46[.]83[.]34[.]bc[.]googleusercontent[.]com[

GOOGLE-CLOUD-PLATFORM

US

0

0

34[.]85[.]243[.]241

241[.]243[.]85[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

US

0

0

34[.]85[.]253[.]170

170[.]253[.]85[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

US

0

0

35[.]192[.]93[.]107

107[.]93[.]192[.]35[.]bc[.]googleusercontent[.]com

GOOGLE

US

0

0

35[.]199[.]6[.]13

13[.]6[.]199[.]35[.]bc[.]googleusercontent[.]com

GOOGLE

US

0

0

35[.]229[.]69[.]227

227[.]69[.]229[.]35[.]bc[.]googleusercontent[.]com

GOOGLE

US

0

0

35[.]237[.]47[.]12

12[.]47[.]237[.]35[.]bc[.]googleusercontent[.]com

GOOGLE

US

0

0

64[.]124[.]12[.]162

64[.]124[.]12[.]162[.]IDIA-144793-004-ZYO[.]zip[.]zayo[.]com

ZAYO-6461

US

0

0

78[.]139[.]8[.]50

catv-78-139-8-50[.]catv[.]fixed[.]vodafone[.]hu

ASN-VODAFONE-

HU

0

0

79[.]104[.]209[.]33

NXDOMAIN

SOVAM-AS

RU

0

0

80[.]211[.]0[.]97

host97-0-211-80[.]serverdedicati[.]aruba[.]it

ARUBA-ASN

IT

0

0

84[.]147[.]54[.]113

p54933671[.]dip0[.]t-ipconnect[.]de

DTAG Internet service provider operations

DE

0

0

84[.]147[.]62[.]12

p54933e0c[.]dip0[.]t-ipconnect[.]de

DTAG Internet service provider operations

DE

0

0

87[.]166[.]50[.]213

p57a632d5[.]dip0[.]t-ipconnect[.]de

DTAG Internet service provider operations

DE

0

0

88[.]132[.]225[.]100

host-88-132-225-100[.]kabelszat2002[.]hu

GAX-KABELSZAT

HU

0

0

88[.]132[.]226[.]203

host-88-132-226-203[.]kabelszat2002[.]hu

GAX-KABELSZAT

HU

0

0

88[.]132[.]227[.]238

host-88-132-227-238[.]kabelszat2002[.]hu

GAX-KABELSZAT

HU

0

0

88[.]132[.]231[.]71

host-88-132-231-71[.]kabelszat2002[.]hu

GAX-KABELSZAT

HU

0

0

88[.]153[.]199[.]169

ip-088-153-199-169[.]um27[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

DE

0

0

92[.]211[.]109[.]160

ipservice-092-211-109-160[.]092[.]211[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

DE

0

0

92[.]211[.]192[.]144

ipservice-092-211-192-144[.]092[.]211[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

DE

0

0

92[.]211[.]52[.]62

ipservice-092-211-052-062[.]092[.]211[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

DE

0

0

92[.]211[.]55[.]199

ipservice-092-211-055-199[.]092[.]211[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

DE

0

0

93[.]216[.]75[.]209

p5dd84bd1[.]dip0[.]t-ipconnect[.]de

DTAG Internet service provider operations

DE

0

0

95[.]25[.]204[.]90

95-25-204-90[.]broadband[.]corbina[.]ru

CORBINA-AS OJSC Vimpelcom

RU

0

0

95[.]25[.]81[.]24

95-25-81-24[.]broadband[.]corbina[.]ru

CORBINA-AS OJSC Vimpelcom

RU

0

0

104[.]18[.]12[.]38

NXDOMAIN

CLOUDFLARENET

US

0

0

109[.]145[.]173[.]169

host109-145-173-169[.]range109-145[.]btcentralplus[.]com

BT-UK-AS BTnet UK Regional network

GB

0

0

109[.]74[.]154[.]90

SERVFAIL

VNET-AS

SK

0

0

109[.]74[.]154[.]91

SERVFAIL

VNET-AS

SK

0

0

109[.]74[.]154[.]92

SERVFAIL

VNET-AS

SK

0

0

178[.]239[.]165[.]70

70[.]165[.]239[.]178[.]baremetal[.]zare[.]com

BANDWIDTH-AS

GB

1

1

188[.]105[.]91[.]116

dslb-188-105-091-116[.]188[.]105[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

DE

0

0

188[.]105[.]91[.]143

dslb-188-105-091-143[.]188[.]105[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

DE

0

0

188[.]105[.]91[.]173

dslb-188-105-091-173[.]188[.]105[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

DE

0

0

192[.]211[.]110[.]74

NXDOMAIN

DNIC-ASBLK-00721-00726

US

0

0

192[.]40[.]57[.]234

NXDOMAIN

PERFORMIVE

US

0

0

192[.]87[.]28[.]103

192[.]87[.]28[.]103[.]dyn[.]centr[.]nl

SURFNET-NL SURFnet, The Netherlands

NL

1

1

193[.]128[.]114[.]45

h193-128-114-45[.]ptr[.]roamsite[.]com

UUNET

US

0

0

193[.]225[.]193[.]201

NXDOMAIN

HBONE-AS KIFU

HU

0

0

194[.]154[.]78[.]160

SERVFAIL

SOVAM-AS

RU

0

0

195[.]181[.]175[.]105

unn-195-181-175-105[.]datapacket[.]com

CDN77 \\^_^

GB

0

0

195[.]239[.]51[.]3

NXDOMAIN

SOVAM-AS

RU

0

0

195[.]239[.]51[.]59

NXDOMAIN

SOVAM-AS

RU

0

0

195[.]74[.]76[.]222

r-222[.]76[.]74[.]195[.]ptr[.]avast[.]com

AVAST-AS-DC

CZ

0

0

212[.]119[.]227[.]151

NXDOMAIN

SOVAM-AS

RU

0

0

212[.]119[.]227[.]167

NXDOMAIN

SOVAM-AS

RU

0

0

213[.]33[.]142[.]50

mail[.]areal-hotel[.]ru

SOVAM-AS

RU

0

0

Most of these IP addresses belong to major cloud providers. You can also see that some of them have a non-zero number of attacks/counts (results extracted from our AP[2]). Probably most of them are sandboxes or analysis systems deployed by security companies or researchers? I did a quick nmap scan of them and most do not export any port/service.

In the case above, the IP address verification is not performed to detect if the computers is an interesting host to infect or not (classic scenario: when country "x" would like to attack country "y"). In such scenario, the performed tests will rely on big IP pools used by Internet providers, the keyboard mapping, the OS language, etc...

I will keep this list of IP addresses up-to-date amongst my discovered samples and see if there are big changes.

[1] https://www[.]virustotal[.]com/gui/file/9d4d651095f9e03a0321def2dc47252ed22334664218f3df9e2f3dbbf99cdc1b
[2] https://isc.sans.edu/api/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

3 comment(s)
My next class:

Comments

It is hard to block the IP list as you mentioned must of those belongs to the cloud platforms, blocking those IP addresses means that the malware can change at any time.
In your experience does a AI monitoring tool could be effective to detect and protect this kind of behaviour?
appears to overlap with skuId, analyzed by Trellix, right?
https://www.trellix.com/en-ca/about/newsroom/stories/research/skuld-the-infostealer-that-speaks-golang.html
We found similar behavior from a phishing attempt in an O365 javascript credential stealer a few days ago: https://www.virustotal.com/gui/file/a7764ca070c1990235a51447a2a743b89f55cd63a27f3f0086cd50584f62ebea/community. VT scored 0/59 on this sample.

Diary Archives