Maxmind.com (Ab)used As Anti-Analysis Technique
A long time ago I wrote a diary[1] about malware samples which use online geolocalization services. Such services are used to target only specific victims. If the malware detects that it is executed from a specific area, it just stops. This has been seen in Russian malware's which did not infect people located in the same area.
Today, once in the wild, malware samples are quickly intercepted and analyzed by security researchers but also big players on the security market. New anti-analysis techniques are regularly deployed to prevent the malware to execute or to change its behavior. One of the last technique discovered by McAfee[2] is the abuse of the MaxMind[3] GeoIP services. This can be implemented via a simple GET request against the Maxmind API which suffers of a lack of access control.
If you query this URL:
$ wget https://www.maxmind.com/geoip/v2.1/city/me --2016-09-01 07:45:41-- https://www.maxmind.com/geoip/v2.1/city/me Resolving www.maxmind.com (www.maxmind.com)... 2400:cb00:2048:1::6810:262f, 2400:cb00:2048:1::6810:252f, 104.16.38.47, ... Connecting to www.maxmind.com (www.maxmind.com)|2400:cb00:2048:1::6810:262f|:443... connected. HTTP request sent, awaiting response... 401 Unauthorized Username/Password Authentication Failed.
But if you just add a good referer:
$ wget -O whereami.txt --referer=https://www.maxmind.com/en/locate-my-ip-address https://www.maxmind.com/geoip/v2.1/city/me --2016-09-01 07:47:11-- https://www.maxmind.com/geoip/v2.1/city/me Resolving www.maxmind.com (www.maxmind.com)... 2400:cb00:2048:1::6810:262f, 2400:cb00:2048:1::6810:252f, 104.16.38.47, ... Connecting to www.maxmind.com (www.maxmind.com)|2400:cb00:2048:1::6810:262f|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1214 (1.2K) [application/vnd.maxmind.com-city+json] Saving to: ‘whereami.txt’ where-am-i.txt 100%[==========================================================>] 1.19K --.-KB/s in 0s 2016-09-01 07:49:08 (17.1 MB/s) - ‘where-am-i.txt’ saved [1214/1214] $ cat whereami.txt {"country":{"names":{"pt-BR":"Bélgica","de":"Belgien","en":"Belgium","ja":"ベルギー王国","es":"Bélgica", \ "zh-CN":"比利时","ru":"Бельгия","fr":"Belgique"},"geoname_id":2802361,"iso_code":"BE"},"location" \ {"time_zone":"Europe/Brussels","accuracy_radius":100,"longitude":4.3333,"latitude":50.6},"traits": \ {"autonomous_system_organization":"BELGACOM-SKYNET-AS","ip_address":"xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx", \ "isp":"Belgacom-skynet-as", "organization":"Belgacom-skynet-as","autonomous_system_number":5432},"city": \ {"geoname_id":2790101,"names":{"en":"Nivelles","de":"Nivelles","ru":"Нивель","zh-CN":"尼韦尔", \ "fr":"Nivelles"}},"postal":{"code":"1400"},"subdivisions":[{"geoname_id":3337387, \ "names":{"pt-BR": "Valônia","fr":"Wallonie","es":"Valonia","en":"Wallonia","de":"Wallonische Region"}, \ "iso_code":"WAL"},{"iso_code":"WBR","geoname_id":3333251,"names":{"pt-BR":"Brabante Valão", \ "en":"Walloon Brabant Province","de":"Provinz Wallonisch-Brabant","es":"Brabant Wallonie", \ "fr":"Brabant Wallon"}}],"continent":{"code":"EU","names":{"pt-BR":"Europa","en":"Europe", \ "de":"Europa","ja":"ヨーロッパ","es":"Europa","fr":"Europe","zh-CN":"欧洲","ru":"Европа"}, \ "geoname_id":6255148}}
You can see that it's possible to locate me but also it reports information like the AS and the organization/ISP. Interesting strings like AV vendor names are searched by the malware but not only. If the network name contains strings like "Data Center", "VPS", "Hosting" or "Shared", they are chances that the host running the malware is not an endpoint device.
If you're performing research or investigations, always use a dedicated xDSL or cable connection!
[1] https://isc.sans.edu/forums/diary/Victim+of+its+own+success+and+abused+by+malwares/20311/
[2] https://blogs.mcafee.com/mcafee-labs/macro-malware-adds-tricks-uses-maxmind-to-avoid-detection/
[3] https://www.maxmind.com/en/geoip2-services-and-databases
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Comments