Nope, not the kind of angler whose best friends are rubber boots, strings tied into flies, or a tape measure that starts with 5inches where others have a zero. This is about the Angler Exploit Kit, which currently makes rampant use of the recent Adobe Flash zero-days to exploit the computers of unsuspecting users, and to push Cryptowall 3.0 on to them. Fellow ISC Handler Brad has covered before how this works.
Looking though our quite exhaustive (but likely nowhere near complete) list of IP addresses that were seen hosting Angler EK over the past 30 days or so, it is obvious that the crooks behind this exploit kit have a pretty savvy operation going on. First of all, they seem to test the waters at a new hosting provider, probably to see how quickly they get evicted. If no or slow action is forthcoming, the same provider will likely become the main Angler hoster a couple of days down the road. Obviously, this is bound to create some ruckus and lead to some complaints with said provider, but by the time the provider gets around to investigating, the bad guys usually have hopped one house down the road.
Amazingly, they seem to get away with this – staying at the same provider, but just switching to another IP address. With most providers these days touting the features of their Cloud, including the ability to spin up your image in any of our 20 data centers around the globe within a matter of seconds, this isnt really surprising. But it sure is highly unwelcome from a malware fighting point of view. We used to hate the fast flux domain name switcheroo, but now increasingly were getting fast instance, where the exploit hosting site itself moves every hour or two.
The statistics from this month also look like it takes the average hoster/provider about a week to catch on that the bad guys are simply moving onto the adjacent vacant lot, and to start evicting them for good. Though even this is hard to tell from the data – it could well also be that the providers never really caught on, and the bad guys just moved on their own to a new neighbourhood, for opsec reasons.
Without further ado, heres an excerpt from the list of Angler hosting sites that weve observed recently.
July 122.214.171.124Hetzner Online AG, GermanyJuly 1 126.96.36.199Hetzner Online AG, GermanyJuly 8 188.8.131.52Hetzner Online AG, GermanyJuly 9 184.108.40.206Hetzner Online AG, GermanyJuly 10 220.127.116.11Hetzner Online AG, GermanyJuly 12 18.104.22.168Hetzner Online AG, GermanyJuly 1422.214.171.124Westhost Salt Lake City, USAJuly 15 126.96.36.199Sinarohost, NetherlandsJuly 16 188.8.131.52Westhost Salt Lake City, USAJuly 16 184.108.40.206Westhost Salt Lake City, USAJuly 17 220.127.116.11Limestone Networks, Dallas, USAJuly 19 18.104.22.168Limestone Networks, Dallas, USAJuly 20 22.214.171.124Limestone Networks, Dallas, USAJuly 20 126.96.36.199Wibo/Hostlife, Netherlands and Czech RepublicJuly 21 188.8.131.52Limestone Networks, Dallas, USAJuly 23 184.108.40.206Limestone Networks, USA and NtherlandsJuly 23 220.127.116.11Limestone Networks, Dallas, USAJuly 23 18.104.22.168Limestone Networks, Dallas, USAJuly 2422.214.171.124Limestone Networks, USA and NtherlandsJuly 24 126.96.36.199Wibo/Hostlife, Netherlands and Czech RepublicJuly 25 188.8.131.52Wibo/Hostlife, Netherlands and Czech Republic
Now, of course, Im not insinuating that this misuse occurs with the tacit or implicit approval of the providers, likely, they are just being taken for a ride, but if you are such a provider, and you receive a complaint about one of your IPs hosting Angler EK, how about:
– checking ALL your IPs, not just the one that was reported, and keep checking over the next week or two
– correlating the data used to purchase these IPs, and proactively suspend, or at least activate a full packet trace, on all others that match similar info?
Icing on the cake would be if you as the provider could spend some brain cycles to translate the awesome Emerging Threat signatures from matching on client traffic to matching on server traffic (no big deal, primarily, you just need to flip $HOME_NET and $EXTERNAL_NET, and maybe adjust the from_server flow direction, depending on the rule match) and then apply these onto your inbound stream. You know, 20+ days after a signature became available for the current Angler EK landing page traffic .. one would think that you, as a professional web hoster, had some way to detect such traffic into your datacenters, and that it would take you less than a week to put a lid on it?
Also, it would help a lot if all you hosters could submit ALL your intelligence on this incident to Law Enforcement. Eventually (like, 3 years down the road…), the law will catch up with the perps, and decent evidence is what makes a conviction stick. I also suspect that it would work wonders if Law Enforcement could stop by for a chat with the CEOs of the hosters who seem to be having a hard time keeping the Angler from fishing in their waters, and offer suitable assistance. Most of these hosters are in cut-throat competition, and any revenue seems to be good revenue, but a little visit from the Feds might help to put things into perspective.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.