Last Updated: 2015-10-28 14:26:12 UTC
by Xavier Mertens (Version: 1)
This morning, I faced an interesting case. We were notified that one of our computers was doing potentially malicious HTTP requests. The malicious URL was: api.wipmania.com. We quickly checked and detected to many hosts were sending requests to this API. It is a website hosted in France which provides geolocalisation services via a text/json/xml API. The usage is pretty quick and easy:
You provide an IP address and it returns its 2-letters country code. They provide also a paying version with more features. We investigated deeper and found that one request was indeed performed by a single host using a fake User-Agent.
We also found that Snort signatures exist for this online service:
I found references to api.wipmania.com in the following malwares:
VT reported 97 occurrences of the domain wipmania.com in malicious files: https://www.virustotal.com/intelligence/search/?query=wipmania.com
Conclusion: if you provide online services and they become popular be careful to not be (ab)used by malwares! It could affect your overall reputation and make you flagged/blocked in black lists.
ISC Handler - Freelance Security Consultant