{"id":7161,"date":"2017-03-29T16:10:01","date_gmt":"2017-03-30T00:10:01","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/29\/news-952\/"},"modified":"2017-03-29T16:10:01","modified_gmt":"2017-03-30T00:10:01","slug":"news-952","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/03\/29\/news-952\/","title":{"rendered":"Websites compromised in &#8216;Decimal IP&#8217; campaign"},"content":{"rendered":"<p><strong>Credit to Author: J\u00e9r\u00f4me Segura| Date: Wed, 29 Mar 2017 23:00:52 +0000<\/strong><\/p>\n<p>When looking at malicious traffic, one of the things we are interested in are the hosts involved in a\u00a0particular attack. For example, we check\u00a0the hostnames or IP addresses that were serving up malicious code.<\/p>\n<p>Before getting further, let&#8217;s define a few concepts to better understand the topic we are discussing today. A host name can be:<\/p>\n<ul>\n<li>A\u00a0domain name (i.e. <em>http:\/\/<\/em><span style=\"color: #0000ff\"><em>example.com<\/em><\/span><em>\/<\/em>)<\/li>\n<li>A\u00a0fully qualified domain name (i.e. <em>http:\/\/<\/em><span style=\"color: #0000ff\"><em>test.example.com<\/em><\/span><em>\/<\/em>)<\/li>\n<li>An IP address (i.e. <em>http:\/\/<\/em><span style=\"color: #0000ff\"><em>127.0.0.1<\/em><\/span><em>\/<\/em>)<\/li>\n<\/ul>\n<p>It&#8217;s not as usual, but IP addresses can indeed\u00a0be directly used\u00a0as\u00a0the URL and when that happens it\u00a0is called an\u00a0<strong>IP-Literal Hostname<\/strong> (see Eric Lawrence&#8217;s <a href=\"https:\/\/blogs.msdn.microsoft.com\/ieinternals\/2014\/03\/06\/browser-arcana-ip-literals-in-urls\/\" target=\"_blank\">post<\/a> on this subject).<\/p>\n<p>IP addresses (IPv4) follow the\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Dot-decimal_notation\" target=\"_blank\">dot-decimal notation<\/a> which is four numbers, each ranging from 0 to 255, separated by dots. But\u00a0then, to make things a little more complicated, we have exceptions, such as the non-dotted IP literals, in decimal (<em>http:\/\/<span style=\"color: #0000ff\">2130706433<\/span>\/<\/em>) or octal form (<em>http:\/\/<span style=\"color: #0000ff\">017700000001<\/span>\/<\/em>).<\/p>\n<p>This takes us to a recent infection chain for the RIG exploit kit where we came across such\u00a0an occurrence. The host was:<\/p>\n<pre>http:\/\/<strong>1760468715<\/strong><\/pre>\n<p>While for us humans it makes little sense that this could\u00a0even resolve, Internet Explorer and Chrome (Edge doesn&#8217;t seem to)\u00a0can handle it just fine and convert that into a proper IP address (<em>104.238.158.235<\/em>):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17123\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/decimal.png\" alt=\"\" width=\"375\" height=\"64\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/decimal.png 375w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/decimal-300x51.png 300w\" sizes=\"auto, (max-width: 375px) 100vw, 375px\" \/><\/p>\n<p>We observed websites that had been hacked and were pushing this non-orthodox URL via\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/HTTP_302\" target=\"_blank\">302 redirects<\/a> (the HTTP response code indicating that the site has moved to a new location):<\/p>\n<pre>HTTP\/1.1 302 Found  Server: nginx\/1.10.1  Content-Type: text\/html  Content-Length: 0  Connection: keep-alive  X-Powered-By: PHP\/5.3.10-1ubuntu3.23  Access-Control-Allow-Origin: *  Location: <strong>http:\/\/1760468715\/<\/strong>  Vary: Accept-Encoding<\/pre>\n<p>This in turn leads\u00a0to another redirector performing the final call to the RIG EK landing page and infecting the user with the <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/08\/smoke-loader-downloader-with-a-smokescreen-still-alive\/\" target=\"_blank\">Smoke Loader<\/a> malware, as shown\u00a0below:<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/decimal_redirector.png\" data-rel=\"lightbox-0\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17124\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/decimal_redirector.png\" alt=\"\" width=\"834\" height=\"518\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/decimal_redirector.png 834w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/decimal_redirector-300x186.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/decimal_redirector-600x373.png 600w\" sizes=\"auto, (max-width: 834px) 100vw, 834px\" \/><\/a><\/p>\n<p>Upon Googling for that particular string (<em>1760468715<\/em>), we can find many\u00a0sites that have been injected with the Decimal IP redirect:<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/hacked_sites.png\" data-rel=\"lightbox-1\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17135\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/hacked_sites.png\" alt=\"\" width=\"811\" height=\"784\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/hacked_sites.png 811w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/hacked_sites-300x290.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/hacked_sites-600x580.png 600w\" sizes=\"auto, (max-width: 811px) 100vw, 811px\" \/><\/a><\/p>\n<p>There is a <a href=\"http:\/\/webcache.googleusercontent.com\/search?q=cache:aTdfZlUOqt8J:serverfault.com\/questions\/840684\/how-to-find-this-malicious-script-from-server-http-1760468715+&amp;cd=1&amp;hl=en&amp;ct=clnk&amp;gl=us\" target=\"_blank\">thread<\/a> on StackExchange\u00a0about a website owner dealing with such an infection and trying to find how to locate it. Some folks suggest to <em>grep<\/em> the entire server for the incriminating string, while others recommend a complete wipe and reinstallation.<\/p>\n<p>Perhaps the malicious actors are trying to avoid some IP filters or maybe make identification harder by using a less common URL format. In any case,\u00a0<a href=\"https:\/\/www.malwarebytes.com\/premium\/\" target=\"_blank\">Malwarebytes users<\/a> are protected from accessing this rogue\u00a0server, no matter how the URL is formatted.<\/p>\n<p>And if you wonder about real life purposes of these non-dotted IP-literal URLs and want to participate in\u00a0the debate, feel free to join this <a href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=67730\" target=\"_blank\">16 year old thread<\/a>:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17140\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/Mozilla.png\" alt=\"\" width=\"628\" height=\"214\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/Mozilla.png 628w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/Mozilla-300x102.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/Mozilla-600x204.png 600w\" sizes=\"auto, (max-width: 628px) 100vw, 628px\" \/><\/p>\n<h3>IOCs:<\/h3>\n<p>Redirect:<\/p>\n<pre>Decimal IP:1760468715  IPv4 dot-decimal: 104.238.158.235<\/pre>\n<p>Payload (Smoke Loader):<\/p>\n<pre>4bed780a55e6179e4a1236444c34398af50d3bea39f86eb877089265f833bda5<\/pre>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/03\/websites-compromised-decimal-ip-campaign\/\">Websites compromised in &#8216;Decimal IP&#8217; campaign<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/03\/websites-compromised-decimal-ip-campaign\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: J\u00e9r\u00f4me Segura| Date: Wed, 29 Mar 2017 23:00:52 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/03\/websites-compromised-decimal-ip-campaign\/' title='Websites compromised in 'Decimal IP' campaign'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/06\/photodune-14842084-3d-particles-connection-s.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>This URL is quite probably unlike anything you&#8217;ve ever seen before and yet still works and redirects to malware.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/\" rel=\"category tag\">Cybercrime<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/exploits\/\" rel=\"category tag\">Exploits<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/1760468715\/\" rel=\"tag\">1760468715<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ek\/\" rel=\"tag\">EK<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malware\/\" rel=\"tag\">malware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/rig-ek\/\" rel=\"tag\">RIG EK<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/rig-exploit-kit\/\" rel=\"tag\">RIG exploit kit<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/site-hacks\/\" rel=\"tag\">site hacks<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/03\/websites-compromised-decimal-ip-campaign\/' title='Websites compromised in 'Decimal IP' campaign'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/03\/websites-compromised-decimal-ip-campaign\/\">Websites compromised in &#8216;Decimal IP&#8217; campaign<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[11791,4503,10527,10987,3764,11792,11038,11793],"class_list":["post-7161","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-11791","tag-cybercrime","tag-ek","tag-exploits","tag-malware","tag-rig-ek","tag-rig-exploit-kit","tag-site-hacks"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7161","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7161"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7161\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7161"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7161"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7161"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}