Angler's best friends - SANS Internet Storm Center

Angler's best friends
Nope, not the kind of angler whose best friends are rubber boots, strings tied into "flies", or a tape measure that starts with "5inches" where others have a zero. This is about the "Angler Exploit Kit", which currently makes rampant use of the recent Adobe Flash "zero-days" to exploit the computers of unsuspecting users, and to push Cryptowall 3.0 on to them. Fellow ISC Handler Brad has covered before how this works. Looking though our quite exhaustive (but likely nowhere near complete) list of IP addresses that were seen hosting Angler EK over the past 30 days or so, it is obvious that the crooks behind this exploit kit have a pretty savvy operation going on. First of all, they seem to "test the waters" at a new hosting provider, probably to see how quickly they get evicted. If no or slow action is forthcoming, the same provider will likely become the "main" Angler hoster a couple of days down the road. Obviously, this is bound to create some ruckus and lead to some complaints with said provider, but by the time the provider gets around to investigating, the bad guys usually have hopped one house down the road. Amazingly, they seem to get away with this - staying at the same provider, but just switching to another IP address. With most providers these days touting the features of their "Cloud", including the ability to "spin up your image in any of our 20 data centers around the globe within a matter of seconds", this isn't really surprising. But it sure is highly unwelcome from a malware fighting point of view. We used to hate the "fast flux" domain name switcheroo, but now increasingly we're getting "fast instance", where the exploit hosting site itself moves every hour or two. The statistics from this month also look like it takes the average hoster/provider about a week to "catch on" that the bad guys are simply moving onto the adjacent vacant lot, and to start evicting them for good. Though even this is hard to tell from the data - it could well also be that the providers never really caught on, and the bad guys just moved on their own to a new neighbourhood, for opsec reasons. Without further ado, here's an excerpt from the list of Angler hosting sites that we've observed recently. July 1 148.251.167.57 Hetzner Online AG, Germany July 1 148.251.167.107 Hetzner Online AG, Germany July 8 176.9.245.141 Hetzner Online AG, Germany July 9 176.9.245.140 Hetzner Online AG, Germany July 10 176.9.245.142 Hetzner Online AG, Germany July 12 176.9.245.142 Hetzner Online AG, Germany July 14 206.190.134.189 Westhost Salt Lake City, USA July 15 185.48.58.51 Sinarohost, Netherlands July 16 206.190.134.188 Westhost Salt Lake City, USA July 16 206.190.134.190 Westhost Salt Lake City, USA July 17 69.162.90.107 Limestone Networks, Dallas, USA July 19 69.162.64.156 Limestone Networks, Dallas, USA July 20 69.162.116.123 Limestone Networks, Dallas, USA July 20 185.43.223.165 Wibo/Hostlife, Netherlands and Czech Republic July 21 69.162.116.125 Limestone Networks, Dallas, USA July 23 216.245.213.141 Limestone Networks, USA and Ntherlands July 23 69.162.86.36 Limestone Networks, Dallas, USA July 23 69.162.64.158 Limestone Networks, Dallas, USA July 24 216.245.213.138 Limestone Networks, USA and Ntherlands July 24 185.43.223.164 Wibo/Hostlife, Netherlands and Czech Republic July 25 185.43.223.162 Wibo/Hostlife, Netherlands and Czech Republic Now, of course, I'm not insinuating that this misuse occurs with the tacit or implicit approval of the providers, likely, they are just being taken for a ride, but if you are such a provider, and you receive a complaint about one of your IPs hosting Angler EK, how about: - checking ALL your IPs, not just the one that was reported, and keep checking over the next week or two - correlating the data used to purchase these IPs, and proactively suspend, or at least activate a full packet trace, on all others that match similar info? Icing on the cake would be if you as the provider could spend some brain cycles to translate the awesome Emerging Threat signatures from matching on client traffic to matching on server traffic (no big deal, primarily, you just need to flip $HOME_NET and $EXTERNAL_NET, and maybe adjust the "from_server" flow direction, depending on the rule match) and then apply these onto your inbound stream. You know, 20+ days after a signature became available for the current Angler EK landing page traffic .. one would think that you, as a professional web hoster, had some way to detect such traffic into your datacenters, and that it would take you less than a week to put a lid on it? Also, it would help a lot if all you hosters could submit ALL your intelligence on this incident to Law Enforcement. Eventually (like, 3 years down the road...), the law will catch up with the perps, and decent evidence is what makes a conviction stick. I also suspect that it would work wonders if Law Enforcement could stop by for a chat with the CEOs of the hosters who seem to be having a hard time keeping the Angler from fishing in their waters, and offer suitable assistance. Most of these hosters are in cut-throat competition, and any revenue seems to be good revenue, but a little visit from the Feds might help to put things into perspective.	Daniel 385 Posts ISC Handler Jul 27th 2015
Thread locked Subscribe	Jul 27th 2015 6 years ago
We are still seeing Angler exploits from Limestone networks as well, including one from 69.162.116.248/29 less than an hour ago. Still no lid in sight.	Anonymous
Quote	Jul 27th 2015 6 years ago
Other IP's that may be attributed are: 136.243.96.94 clients.your-server.de, Germany 148.251.167.105 clients.your-server.de, Germany 148.251.167.51 clients.your-server.de, Germany 148.251.167.97 clients.your-server.de, Germany 176.9.245.139 clients.your-server.de, Germany 178.63.173.166 clients.your-server.de, Germany 185.48.58.52 sinaro.host, Europe 209.190.51.212 eNET Inc., Columbus, OH, USA 209.190.51.214 eNET Inc., Columbus, OH, USA 216.144.244.147 Limestone Networks, Inc, Dallas, USA 216.144.244.148 Limestone Networks, Inc, Dallas, USA 46.4.213.133 clients.your-server.de, Germany 5.79.85.242 ua-hosting.company, Netherlands 63.143.53.46 Limestone Networks, Inc, Dallas, USA 69.162.73.91 Limestone Networks, Inc, Dallas, USA 74.63.217.222 WireFuseMedia LLC, Anaheim, CA, USA 74.63.237.182 Limestone Networks, Inc, Dallas, USA 78.46.252.109 clients.your-server.de, Germany 85.17.72.4 Netherlands, Amsterdam 94.131.14.34 Ukraine 94.131.14.37 Ukraine 94.250.248.138 oplodismentofcrcs.ru, Russia	Anonymous
Quote	Jul 27th 2015 6 years ago
Just have to say, I love this post. It was like the writer was reading my mind. Scary, yet validated everything I have been thinking.	AlSitte 30 Posts
Quote	Jul 28th 2015 6 years ago

Nope, not the kind of angler whose best friends are rubber boots, strings tied into "flies", or a tape measure that starts with "5inches" where others have a zero. This is about the "Angler Exploit Kit", which currently makes rampant use of the recent Adobe Flash "zero-days" to exploit the computers of unsuspecting users, and to push Cryptowall 3.0 on to them. Fellow ISC Handler Brad has covered before how this works.

Looking though our quite exhaustive (but likely nowhere near complete) list of IP addresses that were seen hosting Angler EK over the past 30 days or so, it is obvious that the crooks behind this exploit kit have a pretty savvy operation going on. First of all, they seem to "test the waters" at a new hosting provider, probably to see how quickly they get evicted. If no or slow action is forthcoming, the same provider will likely become the "main" Angler hoster a couple of days down the road. Obviously, this is bound to create some ruckus and lead to some complaints with said provider, but by the time the provider gets around to investigating, the bad guys usually have hopped one house down the road.

Amazingly, they seem to get away with this - staying at the same provider, but just switching to another IP address. With most providers these days touting the features of their "Cloud", including the ability to "spin up your image in any of our 20 data centers around the globe within a matter of seconds", this isn't really surprising. But it sure is highly unwelcome from a malware fighting point of view. We used to hate the "fast flux" domain name switcheroo, but now increasingly we're getting "fast instance", where the exploit hosting site itself moves every hour or two.

The statistics from this month also look like it takes the average hoster/provider about a week to "catch on" that the bad guys are simply moving onto the adjacent vacant lot, and to start evicting them for good. Though even this is hard to tell from the data - it could well also be that the providers never really caught on, and the bad guys just moved on their own to a new neighbourhood, for opsec reasons.

Without further ado, here's an excerpt from the list of Angler hosting sites that we've observed recently.

July 1	148.251.167.57		Hetzner Online AG, Germany
July 1  148.251.167.107		Hetzner Online AG, Germany
July 8  176.9.245.141		Hetzner Online AG, Germany
July 9  176.9.245.140		Hetzner Online AG, Germany
July 10 176.9.245.142		Hetzner Online AG, Germany
July 12 176.9.245.142		Hetzner Online AG, Germany
July 14	206.190.134.189		Westhost Salt Lake City, USA
July 15 185.48.58.51		Sinarohost, Netherlands
July 16 206.190.134.188		Westhost Salt Lake City, USA
July 16 206.190.134.190		Westhost Salt Lake City, USA
July 17 69.162.90.107		Limestone Networks, Dallas, USA
July 19 69.162.64.156		Limestone Networks, Dallas, USA
July 20 69.162.116.123		Limestone Networks, Dallas, USA
July 20 185.43.223.165		Wibo/Hostlife, Netherlands and Czech Republic
July 21 69.162.116.125		Limestone Networks, Dallas, USA
July 23 216.245.213.141		Limestone Networks, USA and Ntherlands	
July 23 69.162.86.36		Limestone Networks, Dallas, USA
July 23 69.162.64.158		Limestone Networks, Dallas, USA
July 24	216.245.213.138		Limestone Networks, USA and Ntherlands	
July 24 185.43.223.164		Wibo/Hostlife, Netherlands and Czech Republic
July 25 185.43.223.162		Wibo/Hostlife, Netherlands and Czech Republic

Now, of course, I'm not insinuating that this misuse occurs with the tacit or implicit approval of the providers, likely, they are just being taken for a ride, but if you are such a provider, and you receive a complaint about one of your IPs hosting Angler EK, how about:

- checking ALL your IPs, not just the one that was reported, and keep checking over the next week or two
- correlating the data used to purchase these IPs, and proactively suspend, or at least activate a full packet trace, on all others that match similar info?

Icing on the cake would be if you as the provider could spend some brain cycles to translate the awesome Emerging Threat signatures from matching on client traffic to matching on server traffic (no big deal, primarily, you just need to flip $HOME_NET and $EXTERNAL_NET, and maybe adjust the "from_server" flow direction, depending on the rule match) and then apply these onto your inbound stream. You know, 20+ days after a signature became available for the current Angler EK landing page traffic .. one would think that you, as a professional web hoster, had some way to detect such traffic into your datacenters, and that it would take you less than a week to put a lid on it?

Also, it would help a lot if all you hosters could submit ALL your intelligence on this incident to Law Enforcement. Eventually (like, 3 years down the road...), the law will catch up with the perps, and decent evidence is what makes a conviction stick. I also suspect that it would work wonders if Law Enforcement could stop by for a chat with the CEOs of the hosters who seem to be having a hard time keeping the Angler from fishing in their waters, and offer suitable assistance. Most of these hosters are in cut-throat competition, and any revenue seems to be good revenue, but a little visit from the Feds might help to put things into perspective.

Daniel

385 Posts
ISC Handler

Jul 27th 2015

We are still seeing Angler exploits from Limestone networks as well, including one from 69.162.116.248/29 less than an hour ago. Still no lid in sight.

Anonymous

Other IP's that may be attributed are:
136.243.96.94 clients.your-server.de, Germany
148.251.167.105 clients.your-server.de, Germany
148.251.167.51 clients.your-server.de, Germany
148.251.167.97 clients.your-server.de, Germany
176.9.245.139 clients.your-server.de, Germany
178.63.173.166 clients.your-server.de, Germany
185.48.58.52 sinaro.host, Europe
209.190.51.212 eNET Inc., Columbus, OH, USA
209.190.51.214 eNET Inc., Columbus, OH, USA
216.144.244.147 Limestone Networks, Inc, Dallas, USA
216.144.244.148 Limestone Networks, Inc, Dallas, USA
46.4.213.133 clients.your-server.de, Germany
5.79.85.242 ua-hosting.company, Netherlands
63.143.53.46 Limestone Networks, Inc, Dallas, USA
69.162.73.91 Limestone Networks, Inc, Dallas, USA
74.63.217.222 WireFuseMedia LLC, Anaheim, CA, USA
74.63.237.182 Limestone Networks, Inc, Dallas, USA
78.46.252.109 clients.your-server.de, Germany
85.17.72.4 Netherlands, Amsterdam
94.131.14.34 Ukraine
94.131.14.37 Ukraine
94.250.248.138 oplodismentofcrcs.ru, Russia

Anonymous

Just have to say, I love this post.
It was like the writer was reading my mind. Scary, yet validated everything I have been thinking.
:-)

AlSitte

30 Posts