Last Updated: 2015-07-27 01:20:36 UTC
by Daniel Wesemann (Version: 1)
Nope, not the kind of angler whose best friends are rubber boots, strings tied into "flies", or a tape measure that starts with "5inches" where others have a zero. This is about the "Angler Exploit Kit", which currently makes rampant use of the recent Adobe Flash "zero-days" to exploit the computers of unsuspecting users, and to push Cryptowall 3.0 on to them. Fellow ISC Handler Brad has covered before how this works.
Looking though our quite exhaustive (but likely nowhere near complete) list of IP addresses that were seen hosting Angler EK over the past 30 days or so, it is obvious that the crooks behind this exploit kit have a pretty savvy operation going on. First of all, they seem to "test the waters" at a new hosting provider, probably to see how quickly they get evicted. If no or slow action is forthcoming, the same provider will likely become the "main" Angler hoster a couple of days down the road. Obviously, this is bound to create some ruckus and lead to some complaints with said provider, but by the time the provider gets around to investigating, the bad guys usually have hopped one house down the road.
Amazingly, they seem to get away with this - staying at the same provider, but just switching to another IP address. With most providers these days touting the features of their "Cloud", including the ability to "spin up your image in any of our 20 data centers around the globe within a matter of seconds", this isn't really surprising. But it sure is highly unwelcome from a malware fighting point of view. We used to hate the "fast flux" domain name switcheroo, but now increasingly we're getting "fast instance", where the exploit hosting site itself moves every hour or two.
The statistics from this month also look like it takes the average hoster/provider about a week to "catch on" that the bad guys are simply moving onto the adjacent vacant lot, and to start evicting them for good. Though even this is hard to tell from the data - it could well also be that the providers never really caught on, and the bad guys just moved on their own to a new neighbourhood, for opsec reasons.
Without further ado, here's an excerpt from the list of Angler hosting sites that we've observed recently.
July 1 220.127.116.11 Hetzner Online AG, Germany July 1 18.104.22.168 Hetzner Online AG, Germany July 8 22.214.171.124 Hetzner Online AG, Germany July 9 126.96.36.199 Hetzner Online AG, Germany July 10 188.8.131.52 Hetzner Online AG, Germany July 12 184.108.40.206 Hetzner Online AG, Germany July 14 220.127.116.11 Westhost Salt Lake City, USA July 15 18.104.22.168 Sinarohost, Netherlands July 16 22.214.171.124 Westhost Salt Lake City, USA July 16 126.96.36.199 Westhost Salt Lake City, USA July 17 188.8.131.52 Limestone Networks, Dallas, USA July 19 184.108.40.206 Limestone Networks, Dallas, USA July 20 220.127.116.11 Limestone Networks, Dallas, USA July 20 18.104.22.168 Wibo/Hostlife, Netherlands and Czech Republic July 21 22.214.171.124 Limestone Networks, Dallas, USA July 23 126.96.36.199 Limestone Networks, USA and Ntherlands July 23 188.8.131.52 Limestone Networks, Dallas, USA July 23 184.108.40.206 Limestone Networks, Dallas, USA July 24 220.127.116.11 Limestone Networks, USA and Ntherlands July 24 18.104.22.168 Wibo/Hostlife, Netherlands and Czech Republic July 25 22.214.171.124 Wibo/Hostlife, Netherlands and Czech Republic
Now, of course, I'm not insinuating that this misuse occurs with the tacit or implicit approval of the providers, likely, they are just being taken for a ride, but if you are such a provider, and you receive a complaint about one of your IPs hosting Angler EK, how about:
- checking ALL your IPs, not just the one that was reported, and keep checking over the next week or two
- correlating the data used to purchase these IPs, and proactively suspend, or at least activate a full packet trace, on all others that match similar info?
Icing on the cake would be if you as the provider could spend some brain cycles to translate the awesome Emerging Threat signatures from matching on client traffic to matching on server traffic (no big deal, primarily, you just need to flip $HOME_NET and $EXTERNAL_NET, and maybe adjust the "from_server" flow direction, depending on the rule match) and then apply these onto your inbound stream. You know, 20+ days after a signature became available for the current Angler EK landing page traffic .. one would think that you, as a professional web hoster, had some way to detect such traffic into your datacenters, and that it would take you less than a week to put a lid on it?
Also, it would help a lot if all you hosters could submit ALL your intelligence on this incident to Law Enforcement. Eventually (like, 3 years down the road...), the law will catch up with the perps, and decent evidence is what makes a conviction stick. I also suspect that it would work wonders if Law Enforcement could stop by for a chat with the CEOs of the hosters who seem to be having a hard time keeping the Angler from fishing in their waters, and offer suitable assistance. Most of these hosters are in cut-throat competition, and any revenue seems to be good revenue, but a little visit from the Feds might help to put things into perspective.