Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: 37.58.73.42 / 95.156.228.69 / 195.210.43.42, anyone? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
37.58.73.42 / 95.156.228.69 / 195.210.43.42, anyone?

It started with a pretty benign question from an ISC reader. But if the corresponding SQL query times out on our sensors, something is probably indeed going on ... The IP addresses listed above have >30'000 domain names associated to them, all of the format as shown below

byqajg2lclo7221tdx511xf21594e06d2bb1166c296c16adf1cbfe1b [ dot ] bizgo.be
byqajg2lclo7221tdx511xf21594e06d2d442d2a296c5ee5188fa2c0 [ dot ] bizgo.be
byqajg2lclo7221tdx511xf21594e06d2df74c3c296c49dd3801615d [ dot ] bizgo.be
byqajg2lclo7221tdx511xf40934e06d2ce119772967b2379df2211a [ dot ] bizgo.be

bizgo is not the only domain used, there are many, but currently concentrated in *.be. The host names seem to be time-based, and are only valid for the briefest of instants. This makes manual analysis somewhat difficult - by the time you have grabbed a sample and are running it in the sandbox, well, the domain name no longer resolves. Consequently, only a handful of malware reports on VirusTotal and Malwr.com so far actually show a real detection, for example

https://malwr.com/analysis/NmQ5NmYwN2EyMTQzNDY3Zjk3MjY0MTRhOTQzMjE2Mjc/
https://malwr.com/analysis/NWFiMGYxY2E1MzVhNDkxOGIxNDAzNTQ4ODNkODU5ZjQ/

and both suggest that a Trojan Downloader is coming from this IP, but otherwise didn't get all that far with the analysis. For the traffic that a sensor of ours captured, the requested file path was /i/last/index.php, which matches Emerging Threat SID 2015475 for a Blackhole landing page.

If you have intel to share on these domains or IPs, please let us know via the contact form, or the comments below.

 

Daniel

367 Posts
ISC Handler
Some OSINT http://pastebin.com/6Ajv9B0K
Hope can be of some help
Anonymous
I have a few machines that were communicating to some off these IPs. Here is some traffic I was seeing:

GET /i/last/index.php?os)63HqT)=-5a.5d)8c_89-58&eBj(hMrns_=)5a_89.58.8a!5a(56)5d_56.58.8a&TYT7HY8-06L3xo8=(55&L)I(-dnrT=1dpBUj78X&zFxgn7nAeP=eUN3ky HTTP/1.1
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_24
Host: a32ig07fho2h11d2thb8fli71964e079a5183718c82f624556994a57.boeteam.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Cookie: myid=1378983923

GET /i/last/index.php?ajZ9o4Q=(HA(rZxAX&b-ER3Z=mQrVMkJ HTTP/1.1
accept-encoding: pack200-gzip, gzip
content-type: application/x-java-archive
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_24
Host: a32ig07fho2h11d2thb8fli71964e079a5183718c82f624556994a57.boeteam.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Cookie: myid=1378983923
Anonymous
itechpreneurs.com 37.58.73.40 - 37.58.73.47 SofLay-RIPE? A record points to datingbay.us
GC-SERVER.EU 95.156.228.0 - 95.156.228.127 routing 0/22 via interwerk.de (fails on b.barracudacentral.org RBL lookup)
Multiple AS --- AS196878 (95.156.192.0/18) and AS197071 (95.156.228.0/22) both descriptors: "Marcel Edler trading as Optimate-Server"
syntis.net 195.210.42.0 - 195.210.43.255 (resolves DNS hostname to nematis1.model-fx.com. )

Source: BGP announces
tgtbt

2 Posts
Oddly enough, WebSense gave the IP's and domain names a pass as either uncategorized or Information technology.
(time for a defense in depth demo in realtime?)
CBob

21 Posts
All of the root domain names used (mostly b*.be, but some others mixed in too) appear to use the same set of nameservers:
ns1.speedpacket[.]com
ns2.speedpacket[.]com

Compromised nameservers perhaps?

Looks like most of these are redirections from injected and obfuscated js embedded in legit but compromised sites. Looks like its static - or at least it doesn't care if I just wget the page with no special referer required.
CBob
1 Posts
Dig trace says:
from root to *.ns.dns.be
then ns*.speedpacket.be
to finally reach ns*.speedpacket.com
Bit of recursion going on there?? (151.236.32.0/19 and A records seem unrelated?)
92.48.64.0/18 is described as the same provider
tgtbt

2 Posts
Fresh info in Dynamoo's blog: blog.dynamoo.com/2013/09/…
Daniel

367 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!