Jufeng Laboratory · 2015/07/21 10:41

Authors: Mr.Right, Evancss, K0r4dji

Statement: the attack mentioned in the article is only for exposure, attack malicious network attack behavior, do not imitate, otherwise the consequences.

0 x00 found


Analyze the security of the hosts in the Internet office area after receiving customer’s request. The HTTP protocol is filtered when analyzing the communication data of a certain host.

A look at the data, found abnormal, this host HTTP data is not much, but a large number of HTTP requests are “Get Heikewww /www.txt”, the discovery of the problem is certainly not because of pinyin “Heike”. Click on “Info” to get a clearer view, and you can see that requests are spaced about 50 seconds apart.

For a more accurate analysis of its request URL address, select Statistics, HTTP, and then Requests from the menu. You can see the requested URL address only one: “d.99081.com/heikewww/www.txt”, made 82 requests in a short time.

This kind of regular, long-term HTTP communication requesting the same domain name is generally “rape or theft”.

  1. A lot of anti-virus software, APP, commercial software, in order to maintain a long connection state, the installed software will periodically through HTTP or other protocols to connect to its server. The purpose can be to provide online services, monitor updates, etc., but it can also monitor your computer, phone, and steal your information.
  2. Theft: Trojan, virus and other malware to monitor whether the puppet host is online, there will be a heartbeat mechanism, that is, through HTTP or other protocols to connect to its zombie server, once you are online, it can control you at any time.

Let’s filter the DNS protocol again.

It can be seen that there is no DNS request related to the domain name “d.99081.com”, Trojan horse communication does not pass DNS resolution methods and technologies, readers interested in learning. Therefore, as a security monitoring device, DNS based monitoring is completely inadequate.

Next, let’s look at the details of the HTTP request. Click on the HTTP GET a packet of data, can see the full domain name for “d.99081.com/heikewww/www.txt” request, and constantly to GET www.txt file.

Follow TCPStream, you can see to get all the malicious code in www.txt.

0 x01 associated


At this point, it is basically confirmed that the malicious code is running on the host 10.190.16.143, which will communicate with the IP address 199.59.243.120 (domain name d.99081.com) via HTTP at a fixed time, and download and run the above /heikewww/www.txt.

So, are there other consoles that fall for this?

This problem is very easy to solve, the premise is to have a period of time to monitor the whole network traffic, and then see which hosts and IP(199.59.243.120) communication, if the domain name is a dynamic IP, it needs to be resolved.

  1. If the captured packet file is only a PCAP file, filter ip.addr==199.59.243.120.
  2. The traffic rate of the whole network is generally high, and it is unlikely to be saved as a packet. WireShark can also be used to filter a large number of PCAP files in batches.

Tshark. exe is used to implement batch filtering in the WireShark.

To use Tshark, run the following commands:

CD C:\Program Files\Wireshark tshark -r D:\DATA\1.cap -y "ip.addr==199.59.243.120" -w E:\DATA\out\1.capCopy the code

-r is followed by the source directory address, -y is followed by the Filter command, and -w is followed by the destination address.

With this command, you can write a batch to filter a large number of PCAP packets in a folder.

In this way, all communication data at IP address 199.59.243.120 is filtered.

Take a look at the communication IP.

According to the statistics, four hosts on the entire network are infected with the same malicious code. The communication content is the same, but the request interval is slightly different, some are 50 seconds, some are 4 minutes.

0 x02 in-depth


1 Source of malicious code

In www.txt we found “/Zm9yY2VTUg” this URL, open the view, found that some sponsors advertising and other junk information. The diagram below:

Through Whois, we learned that the domain name servers of 99081.com are ns1.bodis.com and NS2.bodis.com. Bodis.com is the property of BODIS, LLC. Visiting its homepage, it is found that this is a website providing Domain Parking service. Users give idle Domain names to them to host, and they make use of the advertising traffic generated by Domain names and the number of clicks to give users the corresponding interest sharing.

2 Malicious code behavior

After the open channel information learned that Bodis.com is a domain name parking service provider for many years, mainly rely on Internet advertising to obtain income, its own illegal network behavior is still to be analyzed.

99081.com is a registered user of Bodis.com, or domain parking user, which earns a share of its profits by displaying Bodis.com ads and attracting users to click on them. Our preliminary analysis shows that 99081.com uses system vulnerabilities or software bundling to install and run malicious codes on a large number of victims’ computers to access their domain name parking websites, and obtains Bodis.com’s profit sharing by generating a large amount of traffic to 99081.com. This is usually recognized as cheating by the domain parking service and can result in heavy penalties.

3 Identity of the attacker

Based on the code and other information, the attacker’s identity information is basically locked. The following figure is the information registered in a forum:

0 x03 conclusion


  1. The attacker uses domain name to park website advertisement through illegal means, makes some money small black produce, but the technique is not professional enough;
  2. The way of attack should be through the website hanging horse or software binding and other ways, access to the hanging horse website and download the execution of the bundled software is easy to become a victim;
  3. Malicious code constantly uses HTTP protocol to access domain parking sites, and attackers make money from the traffic generated by malicious code.