Websites compromised in ‘Decimal IP’ campaign

Posted: March 29, 2017 by Jérôme Segura
Last updated: March 30, 2017

When looking at malicious traffic, one of the things we are interested in are the hosts involved in a particular attack. For example, we check the hostnames or IP addresses that were serving up malicious code.

Before getting further, let’s define a few concepts to better understand the topic we are discussing today. A host name can be:

A domain name (i.e. http://example.com/)
A fully qualified domain name (i.e. http://test.example.com/)
An IP address (i.e. http://127.0.0.1/)

It’s not as usual, but IP addresses can indeed be directly used as the URL and when that happens it is called an IP-Literal Hostname (see Eric Lawrence’s post on this subject).

IP addresses (IPv4) follow the dot-decimal notation which is four numbers, each ranging from 0 to 255, separated by dots. But then, to make things a little more complicated, we have exceptions, such as the non-dotted IP literals, in decimal (http://2130706433/) or octal form (http://017700000001/).

This takes us to a recent infection chain for the RIG exploit kit where we came across such an occurrence. The host was:

http://1760468715

While for us humans it makes little sense that this could even resolve, Internet Explorer and Chrome (Edge doesn’t seem to) can handle it just fine and convert that into a proper IP address (104.238.158.235):

We observed websites that had been hacked and were pushing this non-orthodox URL via 302 redirects (the HTTP response code indicating that the site has moved to a new location):

HTTP/1.1 302 Found
Server: nginx/1.10.1
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.23
Access-Control-Allow-Origin: *
Location: http://1760468715/
Vary: Accept-Encoding

This in turn leads to another redirector performing the final call to the RIG EK landing page and infecting the user with the Smoke Loader malware, as shown below:

Upon Googling for that particular string (1760468715), we can find many sites that have been injected with the Decimal IP redirect:

There is a thread on StackExchange about a website owner dealing with such an infection and trying to find how to locate it. Some folks suggest to grep the entire server for the incriminating string, while others recommend a complete wipe and reinstallation.

Perhaps the malicious actors are trying to avoid some IP filters or maybe make identification harder by using a less common URL format. In any case, Malwarebytes users are protected from accessing this rogue server, no matter how the URL is formatted.

And if you wonder about real life purposes of these non-dotted IP-literal URLs and want to participate in the debate, feel free to join this 16 year old thread:

IOCs:

Redirect:

Decimal IP:1760468715
IPv4 dot-decimal: 104.238.158.235

Payload (Smoke Loader):

4bed780a55e6179e4a1236444c34398af50d3bea39f86eb877089265f833bda5

COMMENTS

Donna Guarino

I wish some one comes out with a better Windows system,than Microsoft, I just don`t trust Microsoft.
BurleighBill

It is worth pointing out that this article mentions that Microsoft Edge on the current Windows operating system is not susceptible to this attack. Mac and Linux users who use Chrome are.

Best practice is to keep yourself up to date, software wise and employ tools like Malwarebytes to fill in the gaps. ; )
Tom Heath

Last year I was hit by a problem after I tried to X out an ad. It locked my computer and said I needed to call an 800 number. They passed themselves of as people for Microsoft people. I told my son about it and he came to my house and spent an hour cleaning up all manner of bad files. However, since then my computer runs very slow. I took it to Staples and two tech spend an hour and could not find the problem. Last I tried to X out another ad (you see that I’m a slow learner) and within 30 seconds I received a phone call from the same people. How do I get this out of my computer?
Bob-oh

If you’re talking about the same crap that happens to me occasionally, all you have to do is reboot and it will go away.
Tom Heath

Yesterday I picked up my computer from Staples and they were unable to determine why my computer is running slow. I was told that the only way to deal with the problem would be to clean out everything and re-install my operating system.
Syd Jessop

The very wording of this lovely statement exemplifies the problem perfectly.

RELATED ARTICLES

Cybercrime | Malware

Intentional PE Corruption

April 30, 2012 - Malwarebytes Anti-Malware is under constant attack. 24 hours per day, 7 days per week, 365 days per year. If you read my recent blog post about the development of Malwarebytes Chameleon, you know that we at Malwarebytes have big red ‘X’s on our chests; the bad guys are always out to get us. Malwarebytes Anti-Malware...

CONTINUE READING 14 Comments

Cybercrime | Malware

The Cat-and-Mouse Game: The Story of Malwarebytes Chameleon

April 24, 2012 - The fight against malware is a cat-and-mouse game. It is constant and constantly escalating. They make a move, you counter it, they counter your counter, lather, rinse, repeat. What’s more: malware almost always has the advantage. Our software Malwarebytes Anti-Malware earned a reputation for having a high success rate in combating new in-the-wild malware infections:...

CONTINUE READING 7 Comments

Cybercrime | Hacking

Cybercrime at $12.5 Billion: The Great Underreported Threat

May 7, 2012 - From the outside looking in, it may appear that the press regularly reports stories when a company’s website, database or intellectual property has been hacked, stolen or compromised. The more eye-opening fact of the matter is that the scale and scope of the cybercrime problem is much, much larger and the actual incidences of these...

CONTINUE READING 2 Comments

Cybercrime | Hacking

DDOS, Botnets and Worms…Oh My!

May 14, 2012 - The recent attack on the Serious Organized Crime Agency (SOCA), most likely in response to the 36 data selling sites shut down a few weeks ago, lead to the admission by high ranking SOCA officials that the Ministry of Defense networks need to “beef up their security.” In response to this we would like to...

CONTINUE READING 1 Comment

Cybercrime | Exploits

“The Sky is Falling… Are You at Risk from the Flame Malware?”

June 1, 2012 - The last time I checked with Google News this morning there were over 19,100,000 results for “flame malware”. You may have heard many stories this week about this complex trojan. Here are links to three of my current personal favorite articles on “Flame”. Powerful ‘Flame’ cyberweapon tied to popular Angry Birds game – (Fox News)...

CONTINUE READING 3 Comments

ABOUT THE AUTHOR

Jérôme Segura
Lead Malware Intelligence Analyst

Security researcher with a focus on exploits, malvertising and fraud.

CATEGORIES

101 Cybercrime Malwarebytes news PUP Security world

TOP POSTS