Saturday, November 2, 2013

How bad an IP's Reputation can be? A story of: 31.170.179.179 & 62.116.143.18 (park domains)

Many people often asked me "Can we trust malicious IP report?", and I always answer: "Hell, yes!", because actually behind those reports there are dedicated researchers working hard in proofing its badness, and believe me that nobody wants to verdict a false positive report ever.., so mostly malware and security researchers involved are confirming other reference or discuss to others to be sure beforehand.

This is a story about an IP address of : 31.170.179.179, it is still happily up and alive with the below details:

The IP is marked up bad (now). Has a very bad history, I was actually thinking this is a parked domains' IP, but yet, it still "IS" a bad bad evil IP, and I will describe its badness in the poor writing below:
(Note: Please block 31.170.179.179 and 62.116.143.18, so malware served by these hosts)

Historical & Reputation Research of 31.170.179.179 :

Below is the recent historical data of the IP, be free to search each domains stated in the details below to PoC what I stated.

xxx.wds03.com series of DGA...

nxfifwwsia.wds03.com  A  31.170.179.179
lbkxibmtqb.wds03.com  A  31.170.179.179
wpad.wds03.com  A  31.170.179.179
yaivjmqekg.wds03.com  A  31.170.179.179
drwfvaol.wds03.com  A  31.170.179.179
sgtxranpom.wds03.com  A  31.170.179.179
isatap.wds03.com  A  31.170.179.179
ggrixhspar.wds03.com  A  31.170.179.179
ltbgnkzrzr.wds03.com  A  31.170.179.179
batmoflaqft.wds03.com  A  31.170.179.179
jwmspvljlv.wds03.com  A  31.170.179.179
vqblegfygqwgrqv.wds03.com  A  31.170.179.179
qpfjfcpsdy.wds03.com  A  31.170.179.179
ygwnaxsuoy.wds03.com  A  31.170.179.179
zsnwosoziz.wds03.com  A  31.170.179.179
xxx.x[1|2]-line.com series of DGA...
xjfiozjjbg.a1-line.com  A  31.170.179.179
saqzurmcudg.a1-line.com  A  31.170.179.179
vrnftosdtr.a1-line.com  A  31.170.179.179
frrdwoidpt.a1-line.com  A  31.170.179.179
mcipgaxv.a1-line.com  A  31.170.179.179
bamaghbarm.c1-line.com  A  31.170.179.179
ivcodrfdmw.c1-line.com  A  31.170.179.179
xwvxbjxnpc.c2-line.com  A  31.170.179.179
nkrjtpmbjlaf.c2-line.co  A  31.170.179.179
imcuctlmdch.c2-line.com  A  31.170.179.179
bdukyhcboxps.c2-line.co  A  31.170.179.179
uvypmbkkqa.e2-line.com  A  31.170.179.179
marduxfkcp.e2-line.com  A  31.170.179.179
boodeyprwq.e2-line.com  A  31.170.179.179
aodnmpcvcv.e2-line.com  A  31.170.179.179
ulalzvsniy.e2-line.com  A  31.170.179.179
zxvsfkgraz.e2-line.com  A  31.170.179.179

(Spoofing?? Parking??) Records for Reverse-IP "addr.arpa" addresses..weird..

171.80.117.50.in-addr.arpa  A  31.170.179.179
219.80.117.50.in-addr.arpa  A  31.170.179.179
149.80.117.50.in-addr.arpa  A  31.170.179.179
201.128.241.213.202.in-addr.arpa  A  31.170.179.179
106.216.234.173.in-addr.arpa  A  31.170.179.179
200.196.234.173.in-addr.arpa  A  31.170.179.179
140.196.234.173.in-addr.arpa  A  31.170.179.179
240.196.234.173.in-addr.arpa  A  31.170.179.179
50.196.234.173.in-addr.arpa  A  31.170.179.179
221.196.234.173.in-addr.arpa  A  31.170.179.179
22.196.234.173.in-addr.arpa  A  31.170.179.179
84.196.234.173.in-addr.arpa  A  31.170.179.179
125.196.234.173.in-addr.arpa  A  31.170.179.179
65.196.234.173.in-addr.arpa  A  31.170.179.179
95.196.234.173.in-addr.arpa  A  31.170.179.179
6.196.234.173.in-addr.arpa  A  31.170.179.179
16.196.234.173.in-addr.arpa  A  31.170.179.179
186.196.234.173.in-addr.arpa  A  31.170.179.179
127.196.234.173.in-addr.arpa  A  31.170.179.179
187.196.234.173.in-addr.arpa  A  31.170.179.179
8.196.234.173.in-addr.arpa  A  31.170.179.179
48.196.234.173.in-addr.arpa  A  31.170.179.179
98.196.234.173.in-addr.arpa  A  31.170.179.179
9.196.234.173.in-addr.arpa  A  31.170.179.179
219.196.234.173.in-addr.arpa  A  31.170.179.179
139.196.234.173.in-addr.arpa  A  31.170.179.179
6.218.74.64.in-addr.arpa  A  31.170.179.179
194.242.61.94.in-addr.arpa  A  31.170.179.179
141.173.117.195.in-addr.arpa  A  31.170.179.179
200.128/25.139.151.216.in-addr.arpa  A  31.170.179.179
241.128/25.139.151.216.in-addr.arpa  A  31.170.179.179
155.128/25.250.152.216.in-addr.arpa  A  31.170.179.179

Palevo Botnet's CnC:


URL: https://palevotracker.abuse.ch/?ipaddress=31.170.179.179 (Thank's to ABUSE.CH)

With the UrlQuery Records flagged as threat by Emerging Threat (good work!): URL: http://goo.gl/KD6XxT

Kelihos Domains and Payloads (I thank to OP-Kelihos, great team!):

h00p://bixepfet.nl/inkr001.exe
h00p://yjtucerr.nl/nothin3.exe
h00p://jegijfyr.nl/nothin3.exe
h00p://huvjeyjq.nl/userid2.exe
h00p://qavukzak.nl/inkr001.exe
h00p://judnopem.nl/traff01.exe

Virus Total has longer history of this IP (Thank's for the good record!):

Link-->>[HERE]

OpenDNS Umbrella Lab's Graph (with thank you for sharing the tool!) has long records too:

And so on...

The past stays in the past.. No?

Up to this point some people may think like: "Yes, it was harmful, but maybe it was as a VPS used by bad actors, so now it "maybe" becoming a clean and parked one.
Well, the above possibility exists, but let's check it deeper using fresh status too. So I checked link to that IP to find the below recent verdict..

CookieBomb Infection as per TODAY (noted the uppercase)

I am lucky..a local site with infection just freshly spotted in honeypot, see the marked date:

(Noted the date of the screenshot)

This is that evil code:

With a simple JS decode:

Lead us to the ww9.jolyzgus.nl (31.170.179.179)…with some unusual hoolahoop multiple self-redirection.
PS: Below is the correct way to trace a CookieBomb in case you need a reference, PS2: mind the referrer used ;-))

* Connect() to jolyzgus.nl port 80 (#0)
*   Trying 31.170.179.179...
* connected
* Connected to jolyzgus.nl (31.170.179.179) port 80 (#0)
> GET /count21.php HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
> Host: jolyzgus.nl
> Accept: * / *
> Referer: greetz.from.malwaremustdie.org
> Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/
> 
< HTTP/1.1 302 Found
< Server: nginx
< Date: Fri, 01 Nov 2013 12:04:22 GMT
< Content-Type: text/html
< Content-Length: 0
< Connection: keep-alive
< X-Powered-By: PHP/5.4.4-14
< Location: h00p://ww9.jolyzgus.nl
< Vary: Accept-Encoding
< 
:
* Connected to ww9.jolyzgus.nl (31.170.179.179) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
> Host: ww9.jolyzgus.nl
> Accept: * / *
> Referer: greetz.from.malwaremustdie.org
> Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/
> 
< HTTP/1.1 302 Found
< Server: nginx
< Date: Fri, 01 Nov 2013 14:36:01 GMT
< Content-Type: text/html
< Content-Length: 0
< Connection: keep-alive
< X-Powered-By: PHP/5.4.4-14
< Location: h00p://ww9.ww9.jolyzgus.nl
< Vary: Accept-Encoding
:
* About to connect() to ww9.ww9.jolyzgus.nl port 80 (#0)
*   Trying 31.170.179.179...
* connected
* Connected to ww9.ww9.jolyzgus.nl (31.170.179.179) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
> Host: ww9.ww9.jolyzgus.nl
> Accept: * / *
> Referer: greetz.from.malwaremustdie.org
> Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/
> 
< HTTP/1.1 302 Found
< Server: nginx
< Date: Fri, 01 Nov 2013 14:36:47 GMT
< Content-Type: text/html
< Content-Length: 0
< Connection: keep-alive
< X-Powered-By: PHP/5.3.10-1ubuntu3.7
< Location: h00p://ww9.ww9.ww9.jolyzgus.nl
< Vary: Accept-Encoding
:
* About to connect() to ww9.ww9.ww9.jolyzgus.nl port 80 (#0)
*   Trying 31.170.179.179...
* connected
* Connected to ww9.ww9.ww9.jolyzgus.nl (31.170.179.179) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
> Host: ww9.ww9.ww9.jolyzgus.nl
> Accept: * / *
> Referer: greetz.from.malwaremustdie.org
> Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/
> 
< HTTP/1.1 302 Found
< Server: nginx
< Date: Fri, 01 Nov 2013 14:37:16 GMT
< Content-Type: text/html
< Content-Length: 0
< Connection: keep-alive
< X-Powered-By: PHP/5.4.4-14
< Location: h00p://ww6.ww9.ww9.ww9.jolyzgus.nl
< Vary: Accept-Encoding
To be forwarded into a TDS in ww6.ww9.ww9.ww9.jolyzgus.nl (62.116.143.18) with kicking the parked domain's script.
* Connect() to ww6.ww9.ww9.ww9.jolyzgus.nl port 80 (#0)
*   Trying 62.116.143.18...
* connected
* Connected to ww6.ww9.ww9.ww9.jolyzgus.nl (62.116.143.18) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
> Host: ww6.ww9.ww9.ww9.jolyzgus.nl
> Accept: * / *
> Referer: greetz.from.malwaremustdie.org
> Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/
> 
< HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 01 Nov 2013 14:16:49 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Keep-Alive: timeout=5
< Vary: Accept-Encoding
< X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444
< 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
 <head>
  <title>jolyzgus.nl</title>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
  <script type='text/javascript' language='JavaScript'>
var domain = 'jolyzgus.nl';
var uniqueTrackingID = 'MTM4MzMxNTQwOS43OTY4OmQ0ZjMzMTViMWY2NDUxMTY5NzlmMjM0ZmViNDZiZTUwYTI2Zjk0NWE=';
var clickTracking = true;
var themedata = '';
var xkw = '';
var xsearch = '';
var xpcat = '';
var rxid = '';
var bucket = '';
var clientID = '';
var clientIDs = '';
var num_ads = 0;
var adtest = 'off';
var scriptPath = '';
  </script>
  <script src='h00p://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>
  <script type='text/javascript' language='JavaScript'>clickTracking = false;</script>
 </head>
 <body>
  <script type='text/javascript' language='JavaScript'>
window.onload = function() {
 if(clickTracking && typeof track_onclick == 'function') track_onclick("d767765fe07cda70072a07be8009b9e13b9ce70d");
 location.href = "h00p://searchresultsguide.com/?dn=jolyzgus.nl&pid=9POGER71L";
};
  </script>
 </body>
* Connection #0 to host ww6.ww9.ww9.ww9.jolyzgus.nl left intact
</html>* Closing connection #0
Below are payloads on attempts to fetch malware files onto & calls to 62.116.143.18, the VT report for each payloads is so self-explanatory please see the behaviour analysis tab (if available):
https://www.virustotal.com/en/file/19545f41f732280631e1b67302cdd8ab0d0e446a49c2022d6588f170ca9cbfb5/analysis/
https://www.virustotal.com/en/file/7c4a07f4c4fd3f9643cb1cf3d4aa7851ad790cf506efb150c0accc1fc85c2222/analysis/
https://www.virustotal.com/en/file/7fc85db12578612d73b5c670c4addec2d20f0154775addd43fab19450b8cd46a/analysis/
https://www.virustotal.com/en/file/8cab9d5987d5f72338981423043b9118d6eb20b146ea5f1f8000f25b50d2e46e/analysis/
https://www.virustotal.com/en/file/4280a7be51e34088d34eacd628af58b459672ac45b85b18113f8ed1f8bd19898/analysis/
https://www.virustotal.com/en/file/b7657dfc20e077929c89afb6d9c47dc16d1ef3a0404d7a5168d318651c223add/analysis/
https://www.virustotal.com/en/file/39d69b0a16a16c7cbb6b0118f1b5999f75c425918b66c9293509dc822593d383/analysis/
Additionally, Virus Total report of the 62.116.143.18 is here-->>[VirusTotal]

Just in case, the domain jolyzgus.nl is actually SUSPENDED and PARKED under below details, is it still infecting us? This is actually a real big mystery to all of us to check..

$ nslookup jolyzgus.nl

jolyzgus.nl
 origin = ns.parktons.com
 mail addr = root.gransy.com
 serial = 2013010310
 refresh = 1800
 retry = 10800
 expire = 604800
 minimum = 1800
jolyzgus.nl nameserver = ns.parktons.com.
jolyzgus.nl nameserver = ns2.parktons.com.
jolyzgus.nl internet address = 31.170.179.179


$ whois jolyzgus.nl|less

Domain name: jolyzgus.nl
Status:      active

Registrar:
   1API Gmbh
   Talstrasse 27
   66424 Homburg
   Deutschland
   Germany

Registrant DemieGoudswaard
Administrative contact admin@jolyzgus.nl
Technical contact(s) admin@jolyzgus.nl

Domain nameservers:
   ns1.1apidomainondispute.net
   ns2.1apidomainondispute.net
   ns3.1apidomainondispute.net
   DNSSEC:      no

Date registered  2013-08-28
Date of last change  2013-09-02
Record maintained by  NL Domain Registry
Be free to comment! :-)

Additional / Final Conclusion:

As per initially suspected, after deeper investigation taken, the cookiebomb malware domain jolyzgus.nl was gone and the domains was parked under 31.170.179.179 (parktons.com) which having auto-forwarder to affiliate parking domain service in 62.116.143.18 (parkingcrew.com)

We still have question HOW a parked domain's IP can still provide malware samples as per reported, and this matter's investigation is still open with the result to be added accordingly.

#MalwareMustDie!

6 comments:

  1. There is problem with this:

    1apidomainondispute.net was free domain and registered of one customer and parked to parktons.com. DNS of parktons.com answer same IP for any domain (because its for parking). This situations do resolving for jolyzgus.nl (because 1apidomainondispute.net is resolved by parktons DNS and parktons server resolved domains pointed to this domain). jolyzgus.nl has been used as mallware, or virus previous time. Now, domain is working, but only parked .. no virus, no malware. But because is resolving, the IP 31.170.179.179 is marked as "bad" .. this is error, of course.

    ReplyDelete
    Replies
    1. Thank you for your comment, good sir.
      However HOW a parked domains in a parked IP address can have a bad TDS script to direct users to another IP address?
      I just want to state that EVEN a domain is parked it doesn't mean that can not be hacked for doing a malicious purpose.

      Delete
    2. This is simple. Parktons is not parking provider directly, but use many parking companies and found the best way for monetization. ww6.domain has IP of parkingcrew.com, ww9.domain has IP of skenzo.com, ww1.domain has IP of Rookmedia, ww2.domain has IP of bodis.com, etc ... If you will go to domain (any domain directed to parktons NS - it's ten thousands domains) you will be redirected to one of parking provider ... randomly, or to best parking for current domain.

      If you will see for another malware domain - active malware - the requested URL will be return any data - the bad data, virus, etc. Yes, in this sample this is malware. But, if you will see for any domains hosted on 31.170.179.179 you will see only redirect, not any bad data/virus. The 31.170.179.179 not hosted any bad data, and this bad view is maked only by parking a old bad domains :-/ Nothing more

      Delete
    3. This is understandable. Thank's for the sharing of very good information to all of us.
      The conclusion is:
      (1) So, as per suspected, 31.170.179.179 is parked domains of previously owned by malware/infected domains
      (2) What we had PoC'ed a strange redirection goes from 31.170.179.179 to (ww6) 62.116.143.18 which is suppose to be another park domains yet "unexpectedly" ending up into a malware infection scheme,

      Delete
    4. I just confirmed all of the callbacks to following IPs: 31.170.179.179 (parktons.com) which having auto-forwarder to affiliate parking domain service in 62.116.143.18 (parkingcrew.com), are caused by "still-alive" infection trace (on PC, on infected/hacked/injected sites) which are all still pointing to the previous malicious domains used by the malware which was served under different A records.

      The reason that 31.170.179.179 and 62.116.143.18 looks very bad is, after the malware domain's gone, the domains are parked in these two IPs (maybe more IP) causing all malicious calls/requests go straight to these IP, ending up with this mis-interpretation.

      We are still investigating some suspicious samples from one of the IP above with will be a subject to be reported later, investigation of this case is open.
      Thank you for helping clarification this case, yes, a lot of things should be learned and considered in the internet domain industry under tons of its maliciousness.

      Now there's another good question from our member was just raised, WHY someone would park malware domains? What's the merit of it? Why NOT just kill and erase it for good in the internet? Parking the malicious domains will EXACTLY causing trouble like these..

      The answer is: Causing trouble..maybe, but we should thank to the good will of the good domain park services for taking the bullet on parking those malware domains. If someone is NOT keeping these domains on parked, the bad guys' effort to take over the previous malware domains to be back on service will be a lot more easier.

      Delete
    5. Answer is very simple ... many domains register domains due NXD data. For ex. Verisign offer a service called Verisign Data Analyzer - where you can get information about statistics of NXD data (non-existent domain in DNS). This mean, that domainer see about some domain that has a big traffic, but he dont know what kind of traffic its. He register this domain because expect many peoples = many revenues.

      And there is second problem. The registrar and the parking company can't block this domain, because their customer do not make anything bad. Customer only register free domain and parked it. The bad history of domain is not reasson for blocking. Reasson for block will be only if domain is still uses for malware/viruses, etc.

      The sample situation:

      1, customer A has old and unsecured hosting, non-actuall version of your CMS for his domain with traffic hundreds people/days ( and has many backlinks on the internet)
      2, some attacker hack his website and put some viruses
      3, this attackers robot hack many many many sites and put link to viruses in the previous hacked domains
      4, becuase customer A is not interest for this web, and will be notified about some problems with this domain, he stop hosting and wait for expiring domain
      5 ... domain not working .. but has many backlinks, and have traffic for many attacked domains from step 3
      6, domain has been expired
      7, customer B see in droplist this domain with big NXD (hundreds accesses per day + accesses from hacked website from step 3) and estimate that this domain can have a good revenue and register it
      8, domain is living as parking page and is visited by:
      a, hundreds real peoples from backlinks
      b, thousands scripts for getting bad code (now, not hosted of course)
      9, the parking company has algorithm for detect a good peoples, and show information about stats only of this type of traffic - customer B dont know about bad traffic (becuase is not counted by parking company)
      10, customer B gets revenue generated by good peoples (maybe dollars od ten dollars per day).

      And now, you track this domain from some informations, and say - this domain is malware domain - please stop it, please delete it.

      1, why registrar will be stop/delete this domain if see that is only parked
      2, why customer will be stop/delete this domain if see that is only parked and makes revenue for him
      3, why parking will be stop this domain, if know that has not malware in their servers ?

      No way, domain will be live, because is not bad in this time.

      Delete