Victim of its own success and (ab)used by malwares
This morning, I faced an interesting case. We were notified that one of our computers was doing potentially malicious HTTP requests. The malicious URL was: api.wipmania.com. We quickly checked and detected to many hosts were sending requests to this API. It is a website hosted in France which provides geolocalisation services via a text/json/xml API. The usage is pretty quick and easy:
BE
You provide an IP address and it returns its 2-letters country code. They provide also a paying version with more features. We investigated deeper and found that one request was indeed performed by a single host using a fake User-Agent.
Host: api.wipmania.com
User-Agent: Mozilla/4.0
We also found that Snort signatures exist for this online service:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dorkbot GeoIP Lookup to wipmania"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|Host|3a| api.wipmania.com|0d 0a|"; http_header; depth:49; fast_pattern:31,18; classtype:trojan-activity; sid:2015800; rev:7;)
sid-msg.map:2015800 || ET TROJAN Dorkbot GeoIP Lookup to wipmania
I found references to api.wipmania.com in the following malwares:
- Dorkbot
- Ruskill
VT reported 97 occurrences of the domain wipmania.com in malicious files: https://www.virustotal.com/intelligence/search/?query=wipmania.com
Conclusion: if you provide online services and they become popular be careful to not be (ab)used by malwares! It could affect your overall reputation and make you flagged/blocked in black lists.
Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key