Using Network and Threat Data Chaining to Discover Malicious Infrastructure and Deliver Context

– by Jason Lewis

Recently on his blog, computer-forensics researcher and Malcovery Security co-founder Gary Warner wrote about an increase in spam and a list of IPs heavily involved. Malformity Labs wrote a followup on data chaining, which involves linking hashes with the IPs. So are these hosts aberrations? Or are they part of a bigger problem? That’s what we set out to determine in a recent exercise.

Starting with a list of eight IPs, we queried them using ScoutVision to quickly determine the owner, CIDR block and announcing ASN. We then used ScoutVision’s aggregated threat data to associate recent threats with these network elements, in this case we are showing IP address 62.76.187.221.

We also performed a reverse DNS identifying all historical DNS that may be associated with this IP. The example IP is part of 62.76.184.0/21. When we expanded our research to this net block we noticed threats which also exist in the same “neighborhood” as the initial IP. In the above screenshot, 62.76.184.0/21, the parent and IPs in the net range are the “children.” The inherited tags represent all the threats on IPs in CIDR. There is significant malware activity for this CIDR and the CIDRs for the other 8 IPs. A summary of threats in ScoutVision for these elements are the following:

Malware Command and Control Server

Suspicious exe or dropper service

MALICIOUS

Hosting Malware

Being able to quickly include the CIDRs that encompass these IPs, we can expand the threat view. Those IPs appear in these 5 CIDRs.

85.143.160.0/21

62.76.40.0/21

62.76.184.0/21

62.76.176.0/22

37.139.40.0/21

Including these CIDRs in our threat scope allows us to expand the list. This allows us to follow the threat chain and find more evidence the network hosting these IPs is unfriendly.

MALICIOUS

MALURL

Anonymous Proxy

Bruteforce SSH

Malware Command and Control Server

Hosting Malware

Suspicious exe or dropper service

Dshield Top Attackers

ConfickerAB

BOTCC

Corporate Proxy

Scanning Host

Botnet CC

Spyeye CC

Driveby Source

FBI DDoS Alert

SPAM

M-000004-BT

ET CINS Active Threat Intelligence Poor Reputation

ET DROP Dshield Block Listed Source

Reset outside window

ET RBN Known Russian Business Network

POLICY Tor Node

Tor Node

ET CURRENTEVENTS DNS Amplification Attack Inbound

Bitcoin Mining and related

Probing Darknet

TCP window closed before receiving data

Postfix Attack

Malware Domain

Malware IP

Hosting Malware

The increase in threats observed reveals some more details. The hosts on this network are not just hosting malware, they are actively probing the Internet for vulnerable hosts and are involved in DDoS attacks. Several IDS alerts from Lookingglass honeypots show exploit attempts for a wide range of attacks.

We could probably stop there and have plenty of evidence for blocking these CIDRs at the perimeter. But we can take it a step further and add the ASNs announcing those CIDRs to our project for further evaluation. Only one ASN has the cloud providers name associated with it, but the business relationship between the networks is clear.

56534 – PIRIX-INET-AS PIRIX, ltd

57010 – CLODO-AS IT House Ltd.

48172 – OVERSUN Oversun Ltd

Adding these ASNs provides additional context as it expands our threat tags immensely. Thousands of IPs have threats associated with them now and infrastructure behind clodo.ru seems heavily infested with malicious activity.

Using a combination of passive DNS, Domain and network block registration information we can discover all of the address space this provider is using. Using these methods, we can include another 4 CIDRs in our target group.

Clodo.ru appears to have network infrastructure with multiple ISPs in Russia, but the ASN they own has a single upstream ASN, run by RUNNET.

Questions:

  • Is this cloud provider complicit in perpetuating these threats?
  • Is this cloud provider purposely using infrastructure on different networks to appear legitimate while being a snowshoe spammer?

Summary

We’ve taken a small number of IPs involved in spam operations and used ScoutVision to reveal more infrastructure hosting similar malicious activity. The takeaway is that by chaining network and threat data, we can expand beyond a given smaller set of individual IP addresses to a broader list of CIDRs to monitor.  For the majority of customers outside Russia, this cloud provider doesn’t appear to host anything that would require unfiltered access.  IDS rules can alert security teams from connections from/to these CIDRs and what action to take. The resulting CIDR list from this analysis is as follows and is provided for convenience:

Clodo.ru blocklist

188.127.245.0/24

188.127.224.0/19

62.76.180.0/23

62.76.182.0/23

85.143.160.0/21

62.76.40.0/21

62.76.184.0/21

62.76.176.0/22

37.139.40.0/21

 

Additional Posts

New Facebook Scam Preys on Curiosity about Missing Malaysian Airlines Flight

Facebook page with fake video Cyber criminals continuously take advantage of current events in ...

Mobile Malware Banking Trojans That Steal Your Money

Kaspersky Report Shows 20X Increase in Last Year Infographic: Kaspersky Labs It's well-known in the ...