IP stands for Internet Protocol. An IP address is numerical label assigned to each device on the network and every website has a unique IP addresses to identify the site on the Internet. As an IP address is difficult to remember host/domain names are used and translated to an IP address via DNS. What some people don’t realize is that an IP address can be presented in many formats such as host/domain name, dotted decimal IP address or DWORD format. Most of the browsers are accepting only hostnames and decimal dotted IP addresses and rest of them are ignored nowadays.
In our research, we have identified that attackers have started using malicious domains in DWORD format to fool or confuse victims. Here is the example of such malicious URL:
hxxp://1539393606/GoogleSearch.class
If you look at the above URL, you will see an atypical number instead of a domain name or IP address. But careful, it is actually an IP address which has been converted by the attacker into DWORD format. If you visit above URL, your browser will automatically convert this to a plain IP address. Lately, we have been seeing many malicious URL’s using the DWORD format to hide their actual IP address. The number “1539393606” is actually an IP address which points to “91.193.72.70”. If you visit above URL using browser like Firefox, it will display the URL as “http://91.193.72.70/GoogleSearch.class”.
IP to DWORD format
To convert an IP address to DWORD, open your calculator in scientific mode. Let’s take the above IP address, which is “91.193.72.70”. Split the IP address into four octets - 91, 193, 72 and 70.
1) Select decimal mode and type 91 in your calculator.
2) Then click on HEX mode. It will give you hex value 5B for first octet. Write that down and do the same for the other three octets.
3) You will ultimately get “5BC14846” for all 4 octets.
4) The string above is in hex format. Select HEX mode in the calculator and copy paste the hex string.
5) Select decimal mode and you will then get “1539393606” which is the DWORD form of the IP address.
6) Type this DWORD in your browser and you will be taken to address “91.193.72.70”.
Here are some other malicious URL’s we have seen in the wild in DWORD format:
hxxp://1496251283/dhj8v.class
hxxp://3560666344/options.class
Further research shows that these URL’s are exploiting Java vulnerability (CVE-2010-4452) to download malware onto the victim machine.
What’s your DWORD form?
Umesh
Posts
9 comments:
I try that, but apache on server side says «400 Bad Request»
@ Jim,
Which browser do you used? Does your browser converted that DWORD into IP on your address bar?
I tried it in firefox and it sent me straight to a server in the Russian Federation.
It is not soemthing new but thanks for sharing it; as we cannot have dot "." characters in Java class names, we cannot have domain names or IP addresses (even in Hex or Octal). And DWORD is the best option. I should add, there isn't any problem to include "http://" in the Java class names by using special editors/settings.
Look at IP Obfucation Calculator in RSnake XSS cheat sheet page: http://ha.ckers.org/xss.html
Also you can just use malzilla to convert DWORD into IP notation. It's on the 'tools' tab, 'IP Converter'
I have just been infected for a fake AV from this exactly IP. Browser didn't asked anything, started a Java Applet, which I suppose downloaded the exe to my file system. Shame on Windows, I guess.
@ Anonymous.
Sorry to hear that. Yes, the malicious applet downloads additional malware on the system and executes it. Run full scan to remove infection using Antivirus
Simple command line script to calculate ip from a dword. Find
out easily where the malware is being hosted (and then block it!!)
Figured it would be a quick and fun write :-).
http://paste.pocoo.org/show/457809/
Hi! I´m a malware analyst, i would like to know if you can give me the MD5 of the sample who does IP to Dword to analyse it myself.
Thanks
Post a Comment