[Emerging-Sigs] Whatismyip Sigs

Matt Jonkman jonkman at jonkmans.com
Wed Jan 7 13:30:12 EST 2009


A common thing many of the malware samples we see do it hit
whatismyip.com to get their external ip address. There are a few other
sites, but whatismyip.com/net/org is by far the most prevalent as they
are automation friendly and don't make it difficult to scrape the IP.

There are a few others, I've put together the following sigs to get the
ones we see in malware. These aren't all of the ip lookup sites, there
are hundreds. But these are very commonly used.

And to be clear: We do mean to imply these sites are bad or complicit
with any of the bots out there. Just unexpected access to these in your
net is something you should check out.



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
Internal Host Retrieving External IP via whatismyip.com Automation Page
- Possible Infection"; flow:established,to_server;
uricontent:"/automation/n09230945.asp"; classtype:attempted-recon;
sid:2008985; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
Internal Host Retrieving External IP via whatismyip.com - Possible
Infection"; flow:established,to_server; content:"GET "; depth:4;
content:"|0d 0a|Host\: "; content:".whatismyip."; within:15;
classtype:attempted-recon; sid:2008986; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
Internal Host Retrieving External IP via showip.net - Possible
Infection"; flow:established,to_server; content:"GET "; depth:4;
content:"|0d 0a|Host\: "; content:".showip."; within:15;
classtype:attempted-recon; sid:2008987; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
Internal Host Retrieving External IP via cmyip.com - Possible
Infection"; flow:established,to_server; content:"GET "; depth:4;
content:"|0d 0a|Host\: "; content:".cmyip."; within:12;
classtype:attempted-recon; sid:2008988; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
Internal Host Retrieving External IP via showmyip.com - Possible
Infection"; flow:established,to_server; content:"GET "; depth:4;
content:"|0d 0a|Host\: "; content:".showmyip."; within:15;
classtype:attempted-recon; sid:2008989; rev:1;)


-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list