BadRabbit have no fear

Another ransomeware hit the streets called “BadRabbit” on October 24th, 2017.  I’ve read a little bit about it BUT dear reader have no fear.  If you’re behind one of our firewalls; a popular open source FreeBSD based firewall loaded up with block lists galore, intrusion detection (IDS), Geo IP Blocking and DNS blocking then you’ve got nothing to fear but what’s for lunch!

Number one it’s not just a firewall that would have protected you but the security stack we implement from desktop, laptop, etc (hosts on your network) up through the edge to the firewall.  There are multiple things in the stack that mitigate things like ransomware and we’ve blogged about the other variants in prior blog posts.  You can’t just rely on antivirus anymore, that’s just one piece of the security stack and quite frankly a commodity piece with little value.  Some “security experts” might balk at that statement but it’s true and I could bore you and them why it is!

BadRabbit spreads via a website you might visit hosting a javascript that then runs suggesting you need to upgrade your Adobe Flash to view the content of the website.  When you run that exe file it’s game over!  Tip:  We don’t let our users run those baddy’s nor do they have access to write to the operating system directories BadRabbit wants to write to so that’s defense number one!

Now…I’m not here to break down how BadRabbit works because BadRabbit isn’t really that bad nor is it tough.  My purpose is to comfort you in knowing that you’re protected AND BadRabbit has been put to bed…in fact, it never got out of its cage.

According to one site I read BadRabbit was being distributed by these two IP addresses:

5.61.37.209

185.149.120.3

The networks for those two IP addresses are on the WhackersForHackers.com IPBL which we created, manage and use on all our firewalls.  5.0.0.0/8 and 185.0.0.0/8 are BLOCKED.

Note here that the owners of those IP’s are:

5.61.37.209 – owned by a company called “3NT” out of London.  You know this because that’s where you’re to send abuse reports to when you do a whois lookup but more importantly they say:

descr: ********************************************************
descr: * We provide virtual and dedicated servers on this Subnet.
descr: *
descr: * Those services are self managed by our customers
descr: * therefore, we are not using this IP space ourselves
descr: * and it could be assigned to various end customers.
descr: *
descr: * In case of issues related with SPAM, Fraud,
descr: * Phishing, DDoS, portscans or others,
descr: * feel free to contact us with relevant info
descr: * and we will shut down this server: abuse@3nt.com
descr: ********************************************************

I love the old escape clause of “Those services are self managed by our customers“.  That is the old, we’re not responsible game but they are and SHOULD BE held responsible just less responsible than the actual offenders Leaseweb.  That IP space is actually rented from 3NT by a company called “Leaseweb Deutschland GmbH”.  Leaseweb is continually on our block list for abuse again because of their poor security practices.

 

The other IP address:  185.149.120.3 – is owned by “Jetmail Ltd” and based in the UK.  This is an odd duck really because they do email delivery services.  BadRabbit has been confirmed to NOT spread via email spam which is why I think this is an odd duck.  It’s possible the Jetmail folks just had a compromised server and they were unknowingly used.  Shame on them regardless.  I sent them a note at their abuse address inquiring when they knew and how they knew they were distributing BadRabbit.  I’ll update this blog as I hear back.

ICAAN Can!:

Another interesting thing is that it looks like ICAAN (the company who maintains information on registered domain names) blocked the domain names BadRabbit was operating under.  It looks like the organization quarantined the names to resolve null values.  When you do whois lookups on the domain names you get the same IP and the same results:

Reference:  https://www.group-ib.com/blog/badrabbit

webcheck01.net
webdefense1.net
secure-check.host
firewebmail.com
secureinbox.email
secure-dns1.net
1dnscontrol.com (<– our DNSbl resolved this to the firewall block interface of 10.10.10.1 and blocked it)

They either don’t resolve or resolve like this:

Domain Name: 1DNSCONTROL.COM
Registrar WHOIS Server: whois.PublicDomainRegistry.com
Updated Date: 2017-10-25T05:19:23Z

Notice the “Update Date“…that was yesterday as I blogged this on the 26th of October.  The IP address it resolves to is:  198.105.254.24.  That IP address is owned by a company named “Search Guide Inc“.  What’s interesting to me as I looked into this is that many people online are complaining about the company.  The problem is they have nothing to complain about!  Why?  Because as it turns out Search Guide Inc is the DNS re-director (or DNS hijacker) for companies like ATT, Charter, Comcast, and many other ISP’s (but I don’t have a full list) and the service they provide is an “nxdomain” search page result to a privately labeled search engine.  An nxdomain is just a domain that doesn’t exist like the 1dnscontrol.com that has been suspended and therefore no longer exists.

So…if I type the 1dnscontrol.com into my browser I get this result because I’m on a charter network and not the actual website because remember, the website no longer exists:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Notice the URL at the top were the result from typing it into my browser URL area directly (as apposed to searching with a search engine) and hitting enter on my keyboard.  I get redirected to search.charter.net after hitting enter with search page results.

Now…if you ping the 1dnscontro[.]com you get this, the SAME IP ADDRESS as pinging search.charter.net.

C:\>ping 1dnscontro.com
Pinging 1dnscontrol.com [198.105.254.24] with 32 bytes of data:

C:\>ping search.charter.net

Pinging search.charter.net [198.105.254.24] with 32 bytes of data:

What do you think would happen if I pinged “aoipafjkjslkjnlkjfoiuhiuhaisuhfskjhsf.com“…?

Well lets see!  I can guess we’ll get the 198.105.254.24 🙂

C:\>ping aoipafjkjslkjnlkjfoiuhiuhaisuhfskjhsf.com

Pinging aoipafjkjslkjnlkjfoiuhiuhaisuhfskjhsf.com [198.105.254.24] with 32 bytes

I was right (of course)!  So that oddball company named “Search Guide Inc” is nothing more than a company who makes money from a number of ISP’s that provide DNS hijacking to display you a search page with possible results.  This is a hacker like thing to do but they’re doing you a favor…of sorts.  Charter and other ISP’s can have a search page then also serve you ads on them for an extra source of revenue.  It’s shady business if you think about it but someone has to do it!  Most browsers also now have this functionality like Google’s Chrome Browser BUT I suspect the ISP wins the battle because they redirect the actual network traffic that uses TCP port 53 (DNS requests) to their crafty servers to give you a result.  I tested it and for a brief moment the browsers default search page comes up (google.com) but then the search.charter.net page displays thus overriding your browser search preference!  Again, it’s a very hacker like thing to do 😉

In the old days of the Internet your browser just wouldn’t go anywhere and Search Guide Inc saw this as a business opportunity.  They’re the smart one’s sitting on a beach earning 20% (Hans Gruber) while I slave away supporting companies like yours (which I actually enjoy doing)!

How you’re currently protected:

So how are you protected today?

  1. Through a firewall with IP block lists, IDS, Geo IP blocks and DNS block lists like ours that was ahead of any attack
  2. Because ICAAN turned those domains into smoke and your ISP is resolving the names to null values (nxdomains) and serving you a search page or they just don’t show up in your browser

BadRabbit has been put to bed for now.  We were ahead of the game because the networks leveraged by the crooks online are generally blocked by our real time block lists.  We then poke holes into those dirty networks for sites you may need access to from business partners or vendors.  It’s all business.

If you need assistance securing your network reach out to us. There’s more to securing your network than just a firewall. You need to get a security stack in place from the edge to your core and we know how to make it happen.

800-864-9497

Comments or questions are welcome.

* indicates required field

Leave a Reply

Your email address will not be published. Required fields are marked *