Saturday, November 2, 2013

How bad an IP's Reputation can be? A story of: 31.170.179.179 & 62.116.143.18 (park domains)

Many people often asked me "Can we trust malicious IP report?", and I always answer: "Hell, yes!", because actually behind those reports there are dedicated researchers working hard in proofing its badness, and believe me that nobody wants to verdict a false positive report ever.., so mostly malware and security researchers involved are confirming other reference or discuss to others to be sure beforehand.

This is a story about an IP address of : 31.170.179.179, it is still happily up and alive with the below details:

The IP is marked up bad (now). Has a very bad history, I was actually thinking this is a parked domains' IP, but yet, it still "IS" a bad bad evil IP, and I will describe its badness in the poor writing below:
(Note: Please block 31.170.179.179 and 62.116.143.18, so malware served by these hosts)

Historical & Reputation Research of 31.170.179.179 :

Below is the recent historical data of the IP, be free to search each domains stated in the details below to PoC what I stated.

xxx.wds03.com series of DGA...

nxfifwwsia.wds03.com  A  31.170.179.179
lbkxibmtqb.wds03.com  A  31.170.179.179
wpad.wds03.com  A  31.170.179.179
yaivjmqekg.wds03.com  A  31.170.179.179
drwfvaol.wds03.com  A  31.170.179.179
sgtxranpom.wds03.com  A  31.170.179.179
isatap.wds03.com  A  31.170.179.179
ggrixhspar.wds03.com  A  31.170.179.179
ltbgnkzrzr.wds03.com  A  31.170.179.179
batmoflaqft.wds03.com  A  31.170.179.179
jwmspvljlv.wds03.com  A  31.170.179.179
vqblegfygqwgrqv.wds03.com  A  31.170.179.179
qpfjfcpsdy.wds03.com  A  31.170.179.179
ygwnaxsuoy.wds03.com  A  31.170.179.179
zsnwosoziz.wds03.com  A  31.170.179.179
xxx.x[1|2]-line.com series of DGA...
xjfiozjjbg.a1-line.com  A  31.170.179.179
saqzurmcudg.a1-line.com  A  31.170.179.179
vrnftosdtr.a1-line.com  A  31.170.179.179
frrdwoidpt.a1-line.com  A  31.170.179.179
mcipgaxv.a1-line.com  A  31.170.179.179
bamaghbarm.c1-line.com  A  31.170.179.179
ivcodrfdmw.c1-line.com  A  31.170.179.179
xwvxbjxnpc.c2-line.com  A  31.170.179.179
nkrjtpmbjlaf.c2-line.co  A  31.170.179.179
imcuctlmdch.c2-line.com  A  31.170.179.179
bdukyhcboxps.c2-line.co  A  31.170.179.179
uvypmbkkqa.e2-line.com  A  31.170.179.179
marduxfkcp.e2-line.com  A  31.170.179.179
boodeyprwq.e2-line.com  A  31.170.179.179
aodnmpcvcv.e2-line.com  A  31.170.179.179
ulalzvsniy.e2-line.com  A  31.170.179.179
zxvsfkgraz.e2-line.com  A  31.170.179.179

(Spoofing?? Parking??) Records for Reverse-IP "addr.arpa" addresses..weird..

171.80.117.50.in-addr.arpa  A  31.170.179.179
219.80.117.50.in-addr.arpa  A  31.170.179.179
149.80.117.50.in-addr.arpa  A  31.170.179.179
201.128.241.213.202.in-addr.arpa  A  31.170.179.179
106.216.234.173.in-addr.arpa  A  31.170.179.179
200.196.234.173.in-addr.arpa  A  31.170.179.179
140.196.234.173.in-addr.arpa  A  31.170.179.179
240.196.234.173.in-addr.arpa  A  31.170.179.179
50.196.234.173.in-addr.arpa  A  31.170.179.179
221.196.234.173.in-addr.arpa  A  31.170.179.179
22.196.234.173.in-addr.arpa  A  31.170.179.179
84.196.234.173.in-addr.arpa  A  31.170.179.179
125.196.234.173.in-addr.arpa  A  31.170.179.179
65.196.234.173.in-addr.arpa  A  31.170.179.179
95.196.234.173.in-addr.arpa  A  31.170.179.179
6.196.234.173.in-addr.arpa  A  31.170.179.179
16.196.234.173.in-addr.arpa  A  31.170.179.179
186.196.234.173.in-addr.arpa  A  31.170.179.179
127.196.234.173.in-addr.arpa  A  31.170.179.179
187.196.234.173.in-addr.arpa  A  31.170.179.179
8.196.234.173.in-addr.arpa  A  31.170.179.179
48.196.234.173.in-addr.arpa  A  31.170.179.179
98.196.234.173.in-addr.arpa  A  31.170.179.179
9.196.234.173.in-addr.arpa  A  31.170.179.179
219.196.234.173.in-addr.arpa  A  31.170.179.179
139.196.234.173.in-addr.arpa  A  31.170.179.179
6.218.74.64.in-addr.arpa  A  31.170.179.179
194.242.61.94.in-addr.arpa  A  31.170.179.179
141.173.117.195.in-addr.arpa  A  31.170.179.179
200.128/25.139.151.216.in-addr.arpa  A  31.170.179.179
241.128/25.139.151.216.in-addr.arpa  A  31.170.179.179
155.128/25.250.152.216.in-addr.arpa  A  31.170.179.179

Palevo Botnet's CnC:


URL: https://palevotracker.abuse.ch/?ipaddress=31.170.179.179 (Thank's to ABUSE.CH)

With the UrlQuery Records flagged as threat by Emerging Threat (good work!): URL: http://goo.gl/KD6XxT

Kelihos Domains and Payloads (I thank to OP-Kelihos, great team!):

h00p://bixepfet.nl/inkr001.exe
h00p://yjtucerr.nl/nothin3.exe
h00p://jegijfyr.nl/nothin3.exe
h00p://huvjeyjq.nl/userid2.exe
h00p://qavukzak.nl/inkr001.exe
h00p://judnopem.nl/traff01.exe

Virus Total has longer history of this IP (Thank's for the good record!):

Link-->>[HERE]

OpenDNS Umbrella Lab's Graph (with thank you for sharing the tool!) has long records too:

And so on...

The past stays in the past.. No?

Up to this point some people may think like: "Yes, it was harmful, but maybe it was as a VPS used by bad actors, so now it "maybe" becoming a clean and parked one.
Well, the above possibility exists, but let's check it deeper using fresh status too. So I checked link to that IP to find the below recent verdict..

CookieBomb Infection as per TODAY (noted the uppercase)

I am lucky..a local site with infection just freshly spotted in honeypot, see the marked date:

(Noted the date of the screenshot)

This is that evil code:

With a simple JS decode:

Lead us to the ww9.jolyzgus.nl (31.170.179.179)…with some unusual hoolahoop multiple self-redirection.
PS: Below is the correct way to trace a CookieBomb in case you need a reference, PS2: mind the referrer used ;-))

* Connect() to jolyzgus.nl port 80 (#0)
*   Trying 31.170.179.179...
* connected
* Connected to jolyzgus.nl (31.170.179.179) port 80 (#0)
> GET /count21.php HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
> Host: jolyzgus.nl
> Accept: * / *
> Referer: greetz.from.malwaremustdie.org
> Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/
> 
< HTTP/1.1 302 Found
< Server: nginx
< Date: Fri, 01 Nov 2013 12:04:22 GMT
< Content-Type: text/html
< Content-Length: 0
< Connection: keep-alive
< X-Powered-By: PHP/5.4.4-14
< Location: h00p://ww9.jolyzgus.nl
< Vary: Accept-Encoding
< 
:
* Connected to ww9.jolyzgus.nl (31.170.179.179) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
> Host: ww9.jolyzgus.nl
> Accept: * / *
> Referer: greetz.from.malwaremustdie.org
> Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/
> 
< HTTP/1.1 302 Found
< Server: nginx
< Date: Fri, 01 Nov 2013 14:36:01 GMT
< Content-Type: text/html
< Content-Length: 0
< Connection: keep-alive
< X-Powered-By: PHP/5.4.4-14
< Location: h00p://ww9.ww9.jolyzgus.nl
< Vary: Accept-Encoding
:
* About to connect() to ww9.ww9.jolyzgus.nl port 80 (#0)
*   Trying 31.170.179.179...
* connected
* Connected to ww9.ww9.jolyzgus.nl (31.170.179.179) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
> Host: ww9.ww9.jolyzgus.nl
> Accept: * / *
> Referer: greetz.from.malwaremustdie.org
> Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/
> 
< HTTP/1.1 302 Found
< Server: nginx
< Date: Fri, 01 Nov 2013 14:36:47 GMT
< Content-Type: text/html
< Content-Length: 0
< Connection: keep-alive
< X-Powered-By: PHP/5.3.10-1ubuntu3.7
< Location: h00p://ww9.ww9.ww9.jolyzgus.nl
< Vary: Accept-Encoding
:
* About to connect() to ww9.ww9.ww9.jolyzgus.nl port 80 (#0)
*   Trying 31.170.179.179...
* connected
* Connected to ww9.ww9.ww9.jolyzgus.nl (31.170.179.179) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
> Host: ww9.ww9.ww9.jolyzgus.nl
> Accept: * / *
> Referer: greetz.from.malwaremustdie.org
> Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/
> 
< HTTP/1.1 302 Found
< Server: nginx
< Date: Fri, 01 Nov 2013 14:37:16 GMT
< Content-Type: text/html
< Content-Length: 0
< Connection: keep-alive
< X-Powered-By: PHP/5.4.4-14
< Location: h00p://ww6.ww9.ww9.ww9.jolyzgus.nl
< Vary: Accept-Encoding
To be forwarded into a TDS in ww6.ww9.ww9.ww9.jolyzgus.nl (62.116.143.18) with kicking the parked domain's script.
* Connect() to ww6.ww9.ww9.ww9.jolyzgus.nl port 80 (#0)
*   Trying 62.116.143.18...
* connected
* Connected to ww6.ww9.ww9.ww9.jolyzgus.nl (62.116.143.18) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
> Host: ww6.ww9.ww9.ww9.jolyzgus.nl
> Accept: * / *
> Referer: greetz.from.malwaremustdie.org
> Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/
> 
< HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 01 Nov 2013 14:16:49 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Keep-Alive: timeout=5
< Vary: Accept-Encoding
< X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444
< 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
 <head>
  <title>jolyzgus.nl</title>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
  <script type='text/javascript' language='JavaScript'>
var domain = 'jolyzgus.nl';
var uniqueTrackingID = 'MTM4MzMxNTQwOS43OTY4OmQ0ZjMzMTViMWY2NDUxMTY5NzlmMjM0ZmViNDZiZTUwYTI2Zjk0NWE=';
var clickTracking = true;
var themedata = '';
var xkw = '';
var xsearch = '';
var xpcat = '';
var rxid = '';
var bucket = '';
var clientID = '';
var clientIDs = '';
var num_ads = 0;
var adtest = 'off';
var scriptPath = '';
  </script>
  <script src='h00p://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>
  <script type='text/javascript' language='JavaScript'>clickTracking = false;</script>
 </head>
 <body>
  <script type='text/javascript' language='JavaScript'>
window.onload = function() {
 if(clickTracking && typeof track_onclick == 'function') track_onclick("d767765fe07cda70072a07be8009b9e13b9ce70d");
 location.href = "h00p://searchresultsguide.com/?dn=jolyzgus.nl&pid=9POGER71L";
};
  </script>
 </body>
* Connection #0 to host ww6.ww9.ww9.ww9.jolyzgus.nl left intact
</html>* Closing connection #0
Below are payloads on attempts to fetch malware files onto & calls to 62.116.143.18, the VT report for each payloads is so self-explanatory please see the behaviour analysis tab (if available):
https://www.virustotal.com/en/file/19545f41f732280631e1b67302cdd8ab0d0e446a49c2022d6588f170ca9cbfb5/analysis/
https://www.virustotal.com/en/file/7c4a07f4c4fd3f9643cb1cf3d4aa7851ad790cf506efb150c0accc1fc85c2222/analysis/
https://www.virustotal.com/en/file/7fc85db12578612d73b5c670c4addec2d20f0154775addd43fab19450b8cd46a/analysis/
https://www.virustotal.com/en/file/8cab9d5987d5f72338981423043b9118d6eb20b146ea5f1f8000f25b50d2e46e/analysis/
https://www.virustotal.com/en/file/4280a7be51e34088d34eacd628af58b459672ac45b85b18113f8ed1f8bd19898/analysis/
https://www.virustotal.com/en/file/b7657dfc20e077929c89afb6d9c47dc16d1ef3a0404d7a5168d318651c223add/analysis/
https://www.virustotal.com/en/file/39d69b0a16a16c7cbb6b0118f1b5999f75c425918b66c9293509dc822593d383/analysis/
Additionally, Virus Total report of the 62.116.143.18 is here-->>[VirusTotal]

Just in case, the domain jolyzgus.nl is actually SUSPENDED and PARKED under below details, is it still infecting us? This is actually a real big mystery to all of us to check..

$ nslookup jolyzgus.nl

jolyzgus.nl
 origin = ns.parktons.com
 mail addr = root.gransy.com
 serial = 2013010310
 refresh = 1800
 retry = 10800
 expire = 604800
 minimum = 1800
jolyzgus.nl nameserver = ns.parktons.com.
jolyzgus.nl nameserver = ns2.parktons.com.
jolyzgus.nl internet address = 31.170.179.179


$ whois jolyzgus.nl|less

Domain name: jolyzgus.nl
Status:      active

Registrar:
   1API Gmbh
   Talstrasse 27
   66424 Homburg
   Deutschland
   Germany

Registrant DemieGoudswaard
Administrative contact admin@jolyzgus.nl
Technical contact(s) admin@jolyzgus.nl

Domain nameservers:
   ns1.1apidomainondispute.net
   ns2.1apidomainondispute.net
   ns3.1apidomainondispute.net
   DNSSEC:      no

Date registered  2013-08-28
Date of last change  2013-09-02
Record maintained by  NL Domain Registry
Be free to comment! :-)

Additional / Final Conclusion:

As per initially suspected, after deeper investigation taken, the cookiebomb malware domain jolyzgus.nl was gone and the domains was parked under 31.170.179.179 (parktons.com) which having auto-forwarder to affiliate parking domain service in 62.116.143.18 (parkingcrew.com)

We still have question HOW a parked domain's IP can still provide malware samples as per reported, and this matter's investigation is still open with the result to be added accordingly.

#MalwareMustDie!