|
It started with a pretty benign question from an ISC reader. But if the corresponding SQL query times out on our sensors, something is probably indeed going on ... The IP addresses listed above have >30'000 domain names associated to them, all of the format as shown below
byqajg2lclo7221tdx511xf21594e06d2bb1166c296c16adf1cbfe1b [ dot ] bizgo.be bizgo is not the only domain used, there are many, but currently concentrated in *.be. The host names seem to be time-based, and are only valid for the briefest of instants. This makes manual analysis somewhat difficult - by the time you have grabbed a sample and are running it in the sandbox, well, the domain name no longer resolves. Consequently, only a handful of malware reports on VirusTotal and Malwr.com so far actually show a real detection, for example
https://malwr.com/analysis/NmQ5NmYwN2EyMTQzNDY3Zjk3MjY0MTRhOTQzMjE2Mjc/ and both suggest that a Trojan Downloader is coming from this IP, but otherwise didn't get all that far with the analysis. For the traffic that a sensor of ours captured, the requested file path was /i/last/index.php, which matches Emerging Threat SID 2015475 for a Blackhole landing page. If you have intel to share on these domains or IPs, please let us know via the contact form, or the comments below.
|
Daniel 385 Posts ISC Handler Sep 12th 2013 |
| Thread locked Subscribe |
Sep 12th 2013 8 years ago |
|
Some OSINT http://pastebin.com/6Ajv9B0K
Hope can be of some help |
Anonymous |
| Quote |
Sep 12th 2013 8 years ago |
|
I have a few machines that were communicating to some off these IPs. Here is some traffic I was seeing:
GET /i/last/index.php?os)63HqT)=-5a.5d)8c_89-58&eBj(hMrns_=)5a_89.58.8a!5a(56)5d_56.58.8a&TYT7HY8-06L3xo8=(55&L)I(-dnrT=1dpBUj78X&zFxgn7nAeP=eUN3ky HTTP/1.1 User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_24 Host: a32ig07fho2h11d2thb8fli71964e079a5183718c82f624556994a57.boeteam.com Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Cookie: myid=1378983923 GET /i/last/index.php?ajZ9o4Q=(HA(rZxAX&b-ER3Z=mQrVMkJ HTTP/1.1 accept-encoding: pack200-gzip, gzip content-type: application/x-java-archive User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_24 Host: a32ig07fho2h11d2thb8fli71964e079a5183718c82f624556994a57.boeteam.com Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Cookie: myid=1378983923 |
Anonymous |
| Quote |
Sep 12th 2013 8 years ago |
|
itechpreneurs.com 37.58.73.40 - 37.58.73.47 SofLay-RIPE? A record points to datingbay.us
GC-SERVER.EU 95.156.228.0 - 95.156.228.127 routing 0/22 via interwerk.de (fails on b.barracudacentral.org RBL lookup) Multiple AS --- AS196878 (95.156.192.0/18) and AS197071 (95.156.228.0/22) both descriptors: "Marcel Edler trading as Optimate-Server" syntis.net 195.210.42.0 - 195.210.43.255 (resolves DNS hostname to nematis1.model-fx.com. ) Source: BGP announces |
tgtbt 2 Posts |
| Quote |
Sep 12th 2013 8 years ago |
|
Oddly enough, WebSense gave the IP's and domain names a pass as either uncategorized or Information technology.
(time for a defense in depth demo in realtime?) |
CBob 23 Posts |
| Quote |
Sep 12th 2013 8 years ago |
|
All of the root domain names used (mostly b*.be, but some others mixed in too) appear to use the same set of nameservers:
ns1.speedpacket[.]com ns2.speedpacket[.]com Compromised nameservers perhaps? Looks like most of these are redirections from injected and obfuscated js embedded in legit but compromised sites. Looks like its static - or at least it doesn't care if I just wget the page with no special referer required. |
CBob 1 Posts |
| Quote |
Sep 12th 2013 8 years ago |
|
Dig trace says:
from root to *.ns.dns.be then ns*.speedpacket.be to finally reach ns*.speedpacket.com Bit of recursion going on there?? (151.236.32.0/19 and A records seem unrelated?) 92.48.64.0/18 is described as the same provider |
tgtbt 2 Posts |
| Quote |
Sep 13th 2013 8 years ago |
|
Fresh info in Dynamoo's blog: blog.dynamoo.com/2013/09/…
|
Daniel 385 Posts ISC Handler |
| Quote |
Sep 18th 2013 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
