Victim of its own success and (ab)used by malwares

Published: 2015-10-28
Last Updated: 2015-10-28 14:26:12 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

This morning, I faced an interesting case. We were notified that one of our computers was doing potentially malicious HTTP requests. The malicious URL was: We quickly checked and detected to many hosts were sending requests to this API. It is a website hosted in France which provides geolocalisation services via a text/json/xml API. The usage is pretty quick and easy:

xavier@vps2$ curl<ip_address>

You provide an IP address and it returns its 2-letters country code. They provide also a paying version with more features. We investigated deeper and found that one request was indeed performed by a single host using a fake User-Agent. 

GET / HTTP/1.1
User-Agent: Mozilla/4.0

We also found that Snort signatures exist for this online service:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup Attempt To Wipmania"; flow:established,to_server; content:"Host|3A 20||0d 0a|"; http_header; reference:md5,b318988249cd8e8629b4ef8a52760b65; classtype:policy-violation; sid:2014304; rev:3;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dorkbot GeoIP Lookup to wipmania"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|Host|3a||0d 0a|"; http_header; depth:49; fast_pattern:31,18; classtype:trojan-activity; sid:2015800; rev:7;) || ET TROJAN Dorkbot GeoIP Lookup to wipmania

I found references to in the following malwares:

  • Dorkbot
  • Ruskill

​VT reported 97 occurrences of the domain in malicious files:

Conclusion: if you provide online services and they become popular be careful to not be (ab)used by malwares! It could affect your overall reputation and make you flagged/blocked in black lists.  

Xavier Mertens
ISC Handler - Freelance Security Consultant

1 comment(s)
Diary Archives