Hackin9

Nope, not the kind of angler whose best friends are rubber boots, strings tied into flies, or a tape measure that starts with 5inches where others have a zero. This is about the Angler Exploit Kit, which currently makes rampant use of the recent Adobe Flash zero-days to exploit the computers of unsuspecting users, and to push Cryptowall 3.0 on to them. Fellow ISC Handler Brad has covered before how this works.

Looking though our quite exhaustive (but likely nowhere near complete) list of IP addresses that were seen hosting Angler EK over the past 30 days or so, it is obvious that the crooks behind this exploit kit have a pretty savvy operation going on. First of all, they seem to test the waters at a new hosting provider, probably to see how quickly they get evicted. If no or slow action is forthcoming, the same provider will likely become the main Angler hoster a couple of days down the road. Obviously, this is bound to create some ruckus and lead to some complaints with said provider, but by the time the provider gets around to investigating, the bad guys usually have hopped one house down the road.

Amazingly, they seem to get away with this - staying at the same provider, but just switching to another IP address. With most providers these days touting the features of their Cloud, including the ability to spin up your image in any of our 20 data centers around the globe within a matter of seconds, this isnt really surprising. But it sure is highly unwelcome from a malware fighting point of view. We used to hate the fast flux domain name switcheroo, but now increasingly were getting fast instance, where the exploit hosting site itself moves every hour or two.

The statistics from this month also look like it takes the average hoster/provider about a week to catch on that the bad guys are simply moving onto the adjacent vacant lot, and to start evicting them for good. Though even this is hard to tell from the data - it could well also be that the providers never really caught on, and the bad guys just moved on their own to a new neighbourhood, for opsec reasons.

Without further ado, heres an excerpt from the list of Angler hosting sites that weve observed recently.

July 1148.251.167.57Hetzner Online AG, GermanyJuly 1  148.251.167.107Hetzner Online AG, GermanyJuly 8  176.9.245.141Hetzner Online AG, GermanyJuly 9  176.9.245.140Hetzner Online AG, GermanyJuly 10 176.9.245.142Hetzner Online AG, GermanyJuly 12 176.9.245.142Hetzner Online AG, GermanyJuly 14206.190.134.189Westhost Salt Lake City, USAJuly 15 185.48.58.51Sinarohost, NetherlandsJuly 16 206.190.134.188Westhost Salt Lake City, USAJuly 16 206.190.134.190Westhost Salt Lake City, USAJuly 17 69.162.90.107Limestone Networks, Dallas, USAJuly 19 69.162.64.156Limestone Networks, Dallas, USAJuly 20 69.162.116.123Limestone Networks, Dallas, USAJuly 20 185.43.223.165Wibo/Hostlife, Netherlands and Czech RepublicJuly 21 69.162.116.125Limestone Networks, Dallas, USAJuly 23 216.245.213.141Limestone Networks, USA and NtherlandsJuly 23 69.162.86.36Limestone Networks, Dallas, USAJuly 23 69.162.64.158Limestone Networks, Dallas, USAJuly 24216.245.213.138Limestone Networks, USA and NtherlandsJuly 24 185.43.223.164Wibo/Hostlife, Netherlands and Czech RepublicJuly 25 185.43.223.162Wibo/Hostlife, Netherlands and Czech Republic

Now, of course, Im not insinuating that this misuse occurs with the tacit or implicit approval of the providers, likely, they are just being taken for a ride, but if you are such a provider, and you receive a complaint about one of your IPs hosting Angler EK, how about:

- checking ALL your IPs, not just the one that was reported, and keep checking over the next week or two
- correlating the data used to purchase these IPs, and proactively suspend, or at least activate a full packet trace, on all others that match similar info?

Icing on the cake would be if you as the provider could spend some brain cycles to translate the awesome Emerging Threat signatures from matching on client traffic to matching on server traffic (no big deal, primarily, you just need to flip $HOME_NET and $EXTERNAL_NET, and maybe adjust the from_server flow direction, depending on the rule match) and then apply these onto your inbound stream. You know, 20+ days after a signature became available for the current Angler EK landing page traffic .. one would think that you, as a professional web hoster, had some way to detect such traffic into your datacenters, and that it would take you less than a week to put a lid on it?

Also, it would help a lot if all you hosters could submit ALL your intelligence on this incident to Law Enforcement. Eventually (like, 3 years down the road...), the law will catch up with the perps, and decent evidence is what makes a conviction stick. I also suspect that it would work wonders if Law Enforcement could stop by for a chat with the CEOs of the hosters who seem to be having a hard time keeping the Angler from fishing in their waters, and offer suitable assistance. Most of these hosters are in cut-throat competition, and any revenue seems to be good revenue, but a little visit from the Feds might help to put things into perspective.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status