[Emerging-Sigs] Whatismyip Sigs

Matt Jonkman jonkman at jonkmans.com
Wed Jan 7 13:32:47 EST 2009


Forgot to ask, anyone know of other sites that are commonly used by
malware? These are 95% of what we see in the sandnet.

matt

Matt Jonkman wrote:
> A common thing many of the malware samples we see do it hit
> whatismyip.com to get their external ip address. There are a few other
> sites, but whatismyip.com/net/org is by far the most prevalent as they
> are automation friendly and don't make it difficult to scrape the IP.
> 
> There are a few others, I've put together the following sigs to get the
> ones we see in malware. These aren't all of the ip lookup sites, there
> are hundreds. But these are very commonly used.
> 
> And to be clear: We do mean to imply these sites are bad or complicit
> with any of the bots out there. Just unexpected access to these in your
> net is something you should check out.
> 
> 
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> Internal Host Retrieving External IP via whatismyip.com Automation Page
> - Possible Infection"; flow:established,to_server;
> uricontent:"/automation/n09230945.asp"; classtype:attempted-recon;
> sid:2008985; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> Internal Host Retrieving External IP via whatismyip.com - Possible
> Infection"; flow:established,to_server; content:"GET "; depth:4;
> content:"|0d 0a|Host\: "; content:".whatismyip."; within:15;
> classtype:attempted-recon; sid:2008986; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> Internal Host Retrieving External IP via showip.net - Possible
> Infection"; flow:established,to_server; content:"GET "; depth:4;
> content:"|0d 0a|Host\: "; content:".showip."; within:15;
> classtype:attempted-recon; sid:2008987; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> Internal Host Retrieving External IP via cmyip.com - Possible
> Infection"; flow:established,to_server; content:"GET "; depth:4;
> content:"|0d 0a|Host\: "; content:".cmyip."; within:12;
> classtype:attempted-recon; sid:2008988; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> Internal Host Retrieving External IP via showmyip.com - Possible
> Infection"; flow:established,to_server; content:"GET "; depth:4;
> content:"|0d 0a|Host\: "; content:".showmyip."; within:15;
> classtype:attempted-recon; sid:2008989; rev:1;)
> 
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list