[Emerging-Sigs] Whatismyip Sigs

Frank Knobbe frank at knobbe.us
Thu Jan 22 22:05:47 EST 2009


On Wed, 2009-01-07 at 13:32 -0500, Matt Jonkman wrote:
> Forgot to ask, anyone know of other sites that are commonly used by
> malware? These are 95% of what we see in the sandnet.

We should also note any valid applications that use whatismyip.com and
similar.

For example, I've seen Blackberry software use it to find its external
IP for WAP communication (headers with newline for readability):

GET / HTTP/1.1 

Connection: close 

x-wap-profile:
"http://www.blackberry.net/go/mobile/profiles/uaprof/9530_evdo/4.7.0.rdf" 
profile:
http://www.blackberry.net/go/mobile/profiles/uaprof/9530_evdo/4.7.0.rdf 

Accept: application/vnd.rim.html, text/html, application/xhtml+xml,
application/vnd.wap.xhtml+xml, te
xt/vnd.sun.j2me.app-descriptor, image/vnd.rim.png, image/jpeg,
application/x-vnd.rim.pme.b, applicati
on/vnd.rim.ucs, image/gif, application/vnd.rim.jscriptc;v=0-8-72,
application/x-javascript, applicati
on/vnd.rim.css;v=1, text/css;media=screen, text/plain,
image/x-portable-graymap, image/x-portable-pix
map, image/x-portable-anymap, image/png, image/jpeg2000, image/x-png,
image/x-icon, image/tiff, image
/vnd.wap.wbmp, image/bmp, image/x-portable-bitmap, image/gif;anim=1,
image/x-ico, image/jpg, image/jp
2, application/vnd.wap.wmlc;q=0.9, application/vnd.wap.wmlscriptc;q=0.7,
text/vnd.wap.wml;q=0.7, */*;
q=0.5 

Accept-Charset:
UTF-8,ISO-8859-1,US-ASCII,UTF-16BE,windows-1252,UTF-16LE,ISO-2022-JP,Shift_JIS,Big5-H
KSCS,Big5,GB2312,KSC5601,x-Johab,EUC-KR,windows-1250 

Accept-Language: en-US,en;q=0.5 

User-Agent: BlackBerry9530/4.7.0.75 Profile/MIDP-2.0
Configuration/CLDC-1.1 VendorID/105 

Via: MDS_4.0.0.59 

Host: www.whatismyip.com 



There's probably other software out there, like chat/IM/SIP software
that uses that to find their external IP's. Perhaps we can come up with
a list of those?

Anyway, not all whatismyip.com access is bad :)

Cheers,
Frank





More information about the Emerging-sigs mailing list