This is a story about an IP address of : 31.170.179.179, it is still happily up and alive with the below details:
The IP is marked up bad (now). Has a very bad history, I was actually thinking this is a parked domains' IP, but yet, it still "IS" a bad bad evil IP, and I will describe its badness in the poor writing below:
(Note: Please block 31.170.179.179 and 62.116.143.18, so malware served by these hosts)
Historical & Reputation Research of 31.170.179.179 :
Below is the recent historical data of the IP, be free to search each domains stated in the details below to PoC what I stated.
xxx.wds03.com series of DGA...
nxfifwwsia.wds03.com A 31.170.179.179 lbkxibmtqb.wds03.com A 31.170.179.179 wpad.wds03.com A 31.170.179.179 yaivjmqekg.wds03.com A 31.170.179.179 drwfvaol.wds03.com A 31.170.179.179 sgtxranpom.wds03.com A 31.170.179.179 isatap.wds03.com A 31.170.179.179 ggrixhspar.wds03.com A 31.170.179.179 ltbgnkzrzr.wds03.com A 31.170.179.179 batmoflaqft.wds03.com A 31.170.179.179 jwmspvljlv.wds03.com A 31.170.179.179 vqblegfygqwgrqv.wds03.com A 31.170.179.179 qpfjfcpsdy.wds03.com A 31.170.179.179 ygwnaxsuoy.wds03.com A 31.170.179.179 zsnwosoziz.wds03.com A 31.170.179.179xxx.x[1|2]-line.com series of DGA...
xjfiozjjbg.a1-line.com A 31.170.179.179 saqzurmcudg.a1-line.com A 31.170.179.179 vrnftosdtr.a1-line.com A 31.170.179.179 frrdwoidpt.a1-line.com A 31.170.179.179 mcipgaxv.a1-line.com A 31.170.179.179 bamaghbarm.c1-line.com A 31.170.179.179 ivcodrfdmw.c1-line.com A 31.170.179.179 xwvxbjxnpc.c2-line.com A 31.170.179.179 nkrjtpmbjlaf.c2-line.co A 31.170.179.179 imcuctlmdch.c2-line.com A 31.170.179.179 bdukyhcboxps.c2-line.co A 31.170.179.179 uvypmbkkqa.e2-line.com A 31.170.179.179 marduxfkcp.e2-line.com A 31.170.179.179 boodeyprwq.e2-line.com A 31.170.179.179 aodnmpcvcv.e2-line.com A 31.170.179.179 ulalzvsniy.e2-line.com A 31.170.179.179 zxvsfkgraz.e2-line.com A 31.170.179.179
(Spoofing?? Parking??) Records for Reverse-IP "addr.arpa" addresses..weird..
171.80.117.50.in-addr.arpa A 31.170.179.179 219.80.117.50.in-addr.arpa A 31.170.179.179 149.80.117.50.in-addr.arpa A 31.170.179.179 201.128.241.213.202.in-addr.arpa A 31.170.179.179 106.216.234.173.in-addr.arpa A 31.170.179.179 200.196.234.173.in-addr.arpa A 31.170.179.179 140.196.234.173.in-addr.arpa A 31.170.179.179 240.196.234.173.in-addr.arpa A 31.170.179.179 50.196.234.173.in-addr.arpa A 31.170.179.179 221.196.234.173.in-addr.arpa A 31.170.179.179 22.196.234.173.in-addr.arpa A 31.170.179.179 84.196.234.173.in-addr.arpa A 31.170.179.179 125.196.234.173.in-addr.arpa A 31.170.179.179 65.196.234.173.in-addr.arpa A 31.170.179.179 95.196.234.173.in-addr.arpa A 31.170.179.179 6.196.234.173.in-addr.arpa A 31.170.179.179 16.196.234.173.in-addr.arpa A 31.170.179.179 186.196.234.173.in-addr.arpa A 31.170.179.179 127.196.234.173.in-addr.arpa A 31.170.179.179 187.196.234.173.in-addr.arpa A 31.170.179.179 8.196.234.173.in-addr.arpa A 31.170.179.179 48.196.234.173.in-addr.arpa A 31.170.179.179 98.196.234.173.in-addr.arpa A 31.170.179.179 9.196.234.173.in-addr.arpa A 31.170.179.179 219.196.234.173.in-addr.arpa A 31.170.179.179 139.196.234.173.in-addr.arpa A 31.170.179.179 6.218.74.64.in-addr.arpa A 31.170.179.179 194.242.61.94.in-addr.arpa A 31.170.179.179 141.173.117.195.in-addr.arpa A 31.170.179.179 200.128/25.139.151.216.in-addr.arpa A 31.170.179.179 241.128/25.139.151.216.in-addr.arpa A 31.170.179.179 155.128/25.250.152.216.in-addr.arpa A 31.170.179.179
Palevo Botnet's CnC:
URL: https://palevotracker.abuse.ch/?ipaddress=31.170.179.179
(Thank's to ABUSE.CH)
With the UrlQuery Records flagged as threat by Emerging Threat (good work!):
URL: http://goo.gl/KD6XxT
Kelihos Domains and Payloads (I thank to OP-Kelihos, great team!):
h00p://bixepfet.nl/inkr001.exe h00p://yjtucerr.nl/nothin3.exe h00p://jegijfyr.nl/nothin3.exe h00p://huvjeyjq.nl/userid2.exe h00p://qavukzak.nl/inkr001.exe h00p://judnopem.nl/traff01.exe
Virus Total has longer history of this IP (Thank's for the good record!):
Link-->>[HERE]
OpenDNS Umbrella Lab's Graph (with thank you for sharing the tool!) has long records too:
And so on...
The past stays in the past.. No?
Up to this point some people may think like: "Yes, it was harmful, but maybe it was as a VPS used by bad actors, so now it "maybe" becoming a clean and parked one.
Well, the above possibility exists, but let's check it deeper using fresh status too. So I checked link to that IP to find the below recent verdict..
CookieBomb Infection as per TODAY (noted the uppercase)
I am lucky..a local site with infection just freshly spotted in honeypot, see the marked date:
(Noted the date of the screenshot)
This is that evil code:
With a simple JS decode:
Lead us to the ww9.jolyzgus.nl (31.170.179.179)…with some unusual hoolahoop multiple self-redirection.
PS: Below is the correct way to trace a CookieBomb in case you need a reference, PS2: mind the referrer used ;-))
* Connect() to jolyzgus.nl port 80 (#0) * Trying 31.170.179.179... * connected * Connected to jolyzgus.nl (31.170.179.179) port 80 (#0) > GET /count21.php HTTP/1.1 > User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) > Host: jolyzgus.nl > Accept: * / * > Referer: greetz.from.malwaremustdie.org > Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/ > < HTTP/1.1 302 Found < Server: nginx < Date: Fri, 01 Nov 2013 12:04:22 GMT < Content-Type: text/html < Content-Length: 0 < Connection: keep-alive < X-Powered-By: PHP/5.4.4-14 < Location: h00p://ww9.jolyzgus.nl < Vary: Accept-Encoding < : * Connected to ww9.jolyzgus.nl (31.170.179.179) port 80 (#0) > GET / HTTP/1.1 > User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) > Host: ww9.jolyzgus.nl > Accept: * / * > Referer: greetz.from.malwaremustdie.org > Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/ > < HTTP/1.1 302 Found < Server: nginx < Date: Fri, 01 Nov 2013 14:36:01 GMT < Content-Type: text/html < Content-Length: 0 < Connection: keep-alive < X-Powered-By: PHP/5.4.4-14 < Location: h00p://ww9.ww9.jolyzgus.nl < Vary: Accept-Encoding : * About to connect() to ww9.ww9.jolyzgus.nl port 80 (#0) * Trying 31.170.179.179... * connected * Connected to ww9.ww9.jolyzgus.nl (31.170.179.179) port 80 (#0) > GET / HTTP/1.1 > User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) > Host: ww9.ww9.jolyzgus.nl > Accept: * / * > Referer: greetz.from.malwaremustdie.org > Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/ > < HTTP/1.1 302 Found < Server: nginx < Date: Fri, 01 Nov 2013 14:36:47 GMT < Content-Type: text/html < Content-Length: 0 < Connection: keep-alive < X-Powered-By: PHP/5.3.10-1ubuntu3.7 < Location: h00p://ww9.ww9.ww9.jolyzgus.nl < Vary: Accept-Encoding : * About to connect() to ww9.ww9.ww9.jolyzgus.nl port 80 (#0) * Trying 31.170.179.179... * connected * Connected to ww9.ww9.ww9.jolyzgus.nl (31.170.179.179) port 80 (#0) > GET / HTTP/1.1 > User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) > Host: ww9.ww9.ww9.jolyzgus.nl > Accept: * / * > Referer: greetz.from.malwaremustdie.org > Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/ > < HTTP/1.1 302 Found < Server: nginx < Date: Fri, 01 Nov 2013 14:37:16 GMT < Content-Type: text/html < Content-Length: 0 < Connection: keep-alive < X-Powered-By: PHP/5.4.4-14 < Location: h00p://ww6.ww9.ww9.ww9.jolyzgus.nl < Vary: Accept-EncodingTo be forwarded into a TDS in ww6.ww9.ww9.ww9.jolyzgus.nl (62.116.143.18) with kicking the parked domain's script.
* Connect() to ww6.ww9.ww9.ww9.jolyzgus.nl port 80 (#0)
* Trying 62.116.143.18...
* connected
* Connected to ww6.ww9.ww9.ww9.jolyzgus.nl (62.116.143.18) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
> Host: ww6.ww9.ww9.ww9.jolyzgus.nl
> Accept: * / *
> Referer: greetz.from.malwaremustdie.org
> Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 01 Nov 2013 14:16:49 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Keep-Alive: timeout=5
< Vary: Accept-Encoding
< X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444
<
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>jolyzgus.nl</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<script type='text/javascript' language='JavaScript'>
var domain = 'jolyzgus.nl';
var uniqueTrackingID = 'MTM4MzMxNTQwOS43OTY4OmQ0ZjMzMTViMWY2NDUxMTY5NzlmMjM0ZmViNDZiZTUwYTI2Zjk0NWE=';
var clickTracking = true;
var themedata = '';
var xkw = '';
var xsearch = '';
var xpcat = '';
var rxid = '';
var bucket = '';
var clientID = '';
var clientIDs = '';
var num_ads = 0;
var adtest = 'off';
var scriptPath = '';
</script>
<script src='h00p://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>
<script type='text/javascript' language='JavaScript'>clickTracking = false;</script>
</head>
<body>
<script type='text/javascript' language='JavaScript'>
window.onload = function() {
if(clickTracking && typeof track_onclick == 'function') track_onclick("d767765fe07cda70072a07be8009b9e13b9ce70d");
location.href = "h00p://searchresultsguide.com/?dn=jolyzgus.nl&pid=9POGER71L";
};
</script>
</body>
* Connection #0 to host ww6.ww9.ww9.ww9.jolyzgus.nl left intact
</html>* Closing connection #0
Below are payloads on attempts to fetch malware files onto & calls to 62.116.143.18, the VT report for each payloads is so self-explanatory please see the behaviour analysis tab (if available):
https://www.virustotal.com/en/file/19545f41f732280631e1b67302cdd8ab0d0e446a49c2022d6588f170ca9cbfb5/analysis/ https://www.virustotal.com/en/file/7c4a07f4c4fd3f9643cb1cf3d4aa7851ad790cf506efb150c0accc1fc85c2222/analysis/ https://www.virustotal.com/en/file/7fc85db12578612d73b5c670c4addec2d20f0154775addd43fab19450b8cd46a/analysis/ https://www.virustotal.com/en/file/8cab9d5987d5f72338981423043b9118d6eb20b146ea5f1f8000f25b50d2e46e/analysis/ https://www.virustotal.com/en/file/4280a7be51e34088d34eacd628af58b459672ac45b85b18113f8ed1f8bd19898/analysis/ https://www.virustotal.com/en/file/b7657dfc20e077929c89afb6d9c47dc16d1ef3a0404d7a5168d318651c223add/analysis/ https://www.virustotal.com/en/file/39d69b0a16a16c7cbb6b0118f1b5999f75c425918b66c9293509dc822593d383/analysis/Additionally, Virus Total report of the 62.116.143.18 is here-->>[VirusTotal]
Just in case, the domain jolyzgus.nl is actually SUSPENDED and PARKED under below details, is it still infecting us? This is actually a real big mystery to all of us to check..
$ nslookup jolyzgus.nl jolyzgus.nl origin = ns.parktons.com mail addr = root.gransy.com serial = 2013010310 refresh = 1800 retry = 10800 expire = 604800 minimum = 1800 jolyzgus.nl nameserver = ns.parktons.com. jolyzgus.nl nameserver = ns2.parktons.com. jolyzgus.nl internet address = 31.170.179.179 $ whois jolyzgus.nl|less Domain name: jolyzgus.nl Status: active Registrar: 1API Gmbh Talstrasse 27 66424 Homburg Deutschland Germany Registrant DemieGoudswaard Administrative contact admin@jolyzgus.nl Technical contact(s) admin@jolyzgus.nl Domain nameservers: ns1.1apidomainondispute.net ns2.1apidomainondispute.net ns3.1apidomainondispute.net DNSSEC: no Date registered 2013-08-28 Date of last change 2013-09-02 Record maintained by NL Domain RegistryBe free to comment! :-)
Additional / Final Conclusion:
As per initially suspected, after deeper investigation taken, the cookiebomb malware domain jolyzgus.nl was gone and the domains was parked under 31.170.179.179 (parktons.com) which having auto-forwarder to affiliate parking domain service in 62.116.143.18 (parkingcrew.com)
We still have question HOW a parked domain's IP can still provide malware samples as per reported, and this matter's investigation is still open with the result to be added accordingly.
#MalwareMustDie!
