Victim of its own success and (ab)used by malwares

Published: 2015-10-28
Last Updated: 2015-10-28 14:26:12 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

This morning, I faced an interesting case. We were notified that one of our computers was doing potentially malicious HTTP requests. The malicious URL was: api.wipmania.com. We quickly checked and detected to many hosts were sending requests to this API. It is a website hosted in France which provides geolocalisation services via a text/json/xml API. The usage is pretty quick and easy:

xavier@vps2$ curl http://api.wipmania.com/<ip_address>
BE

You provide an IP address and it returns its 2-letters country code. They provide also a paying version with more features. We investigated deeper and found that one request was indeed performed by a single host using a fake User-Agent. 

GET / HTTP/1.1
Host: api.wipmania.com
User-Agent: Mozilla/4.0

We also found that Snort signatures exist for this online service:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup Attempt To Wipmania"; flow:established,to_server; content:"Host|3A 20|api.wipmania.com|0d 0a|"; http_header; reference:md5,b318988249cd8e8629b4ef8a52760b65; classtype:policy-violation; sid:2014304; rev:3;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dorkbot GeoIP Lookup to wipmania"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|Host|3a| api.wipmania.com|0d 0a|"; http_header; depth:49; fast_pattern:31,18; classtype:trojan-activity; sid:2015800; rev:7;)
sid-msg.map:2015800 || ET TROJAN Dorkbot GeoIP Lookup to wipmania

I found references to api.wipmania.com in the following malwares:

  • Dorkbot
  • Ruskill

​VT reported 97 occurrences of the domain wipmania.com in malicious files: https://www.virustotal.com/intelligence/search/?query=wipmania.com

Conclusion: if you provide online services and they become popular be careful to not be (ab)used by malwares! It could affect your overall reputation and make you flagged/blocked in black lists.  

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

Keywords:
1 comment(s)
Join us at SANS! Attend Reverse-Engineering Malware: Malware Analysis Tools and Techniques with Xavier Mertens in Online | Central European Time starting Feb 13 2023

Comments

"...be careful to not be (ab)used by malwares! It could affect your overall reputation and make you flagged/blocked in black lists. "

This isn't bad or incorrect advise, but perhaps it's easier said then done. Even if the WipMania operator blacklisted the fake UserAgent string from making requests to its web service, it's already - or at the time of release for these malwares, soon would be - known that the two malwares you mentioned try to use this service; their reputation is impacted, whether they're blocking those requests or not.

Anonymous

Oct 30th 2015
6 years ago

Login here to join the discussion.


Top of page
Diary Archives