Sinkholing BadWPAD infrastructure - wpad.pl / wpadblocking.com case (part 4)

blog.redteam.pl 5 lat temu

Introduction

We started investigation related to BadWPAD attack (WPAD Name Collision Vulnerability [https://www.us-cert.gov/ncas/alerts/TA16-144A]) which was mainly focused on the wpadblocking.com task due to the fact that it targeted millions of computers [https://blog.redteam.pl/2019/05/badwpad-dns-suffix-wpad-wpadblocking-com.html] for over the last 10 years (!). In the second publication we made a deeper analysis of the WPAD file [https://blog.redteam.pl/2019/05/badwpad-and-wpad-pl-wpadblocking-com.html] to prove that it had additional malicious functionality apart from the first task goal. This wpadblocking.com / wpadblock.com task case was besides mentioned during Black Hat conference in 2016 [https://www.youtube.com/embed/IDG2_QfNEzQ&t=905], quoting: “I don’t know what he [owner of wpadblocking.com] is doing really, so it is possibly anticipation for any of you for the next research”. Our analysis gained any interest and after a while the individual liable for wpadblocking.com task and its infrastructure of at least 63 wpad.* TLDs contacted us.


REDTEAM.PL contacted CERT teams from the European Union (EU) countries which were targeted by this peculiar attack. In the meantime the owner of wpadblocking.com contacted us and arrangements were made to transfer wpad.TLD domains to appropriate CERTs which are liable for these TLDs or national CERTs. Remaining domains will be hosted by Cloudflare [https://www.cloudflare.com/], which will take work for it.

In time of publishing this article we know that all TLDs related to Poland (ending with *.pl, i.a. wpad.pl, wpad.org.pl, wpad.biz.pl, wpad.com.pl, wpad.edu.pl, wpad.info.pl, wpad.bialystok.pl, wpad.bydgoszcz.pl, wpad.katowice.pl, wpad.net.pl, wpad.olsztyn.pl, wpad.opole.pl, wpad.radom.pl, wpad.rzeszow.pl, wpad.slask.pl, wpad.szczecin.pl, wpad.warszawa.pl, wpad.waw.pl, wpad.wroclaw.pl and wpad.zgora.pl) are already under control of CERT Polska (CERT-PL) [https://www.cert.pl/] – REDTEAM.PL coordinated process of transferring ownership for these domains between the current owner and CERT Polska, as well as it is presently coordinating the process for another EU countries TLDs i.a.:
CERT-LVwpad.lv,
CERT-IT (CERT Nazionale Italia) – wpad.it,
CERT-HRwpad.hr.


Other domains related to this task are i.a. (the owner was not able to supply a full list of all domains which he collected over the last 10 years):
wpad.cat,
wpad.cc,
wpad.co,
wpad.com.ar / wpad.net.ar (no consequence from icic.gob.ar and ba-csirt.gob.ar),
wpad.com.es / wpad.nom.es / wpad.org.es (no consequence from incibe.es),
wpad.tw / wpad.com.tw (no consequence from twncert.org.tw),
wpad.com.ua / wpad.kiev.ua (no consequence from cert.gov.ua),
wpad.computer,
wpad.cz (no consequence from csirt.cz and govcert.cz),
wpad.direct,
wpad.domains,
wpad.eu.org,
wpad.gr (no consequence from nis.gr),
wpad.group,
wpad.im,
wpad.info,
wpad.live,
wpad.ltd,
wpad.me.uk (no consequence from ncsc.gov.uk),
wpad.msk.ru (no consequence from cert.ru),
wpad.name,
wpad.net.br (no consequence from cert.br),
wpad.net.cn,
wpad.network,
wpad.org.cn,
wpad.plus,
wpad.pro,
wpad.sk (no consequence from csirt.gov.sk and nbu.gov.sk),
wpad.systems,
wpad.tv,
wpad.vip,
wpad.ws,
wpad.xxx,
wpad.zone.

At least 63 wpad.* TLDs total. As mentioned before remaining domains will be taken over by Cloudflare in the case of no consequence from a appropriate CERT to our email notification or any another form of contact [https://redteam.pl/en/#contact].

An interesting fact about WPADblock initiative is that it started as a master degree thesis and the paper “Network traffic filtering utilizing WPAD and Proxy auto-configuration scripts” (original in Polish: “Filtracja ruchu sieciowego przy wykorzystaniu protokołu WPAD oraz skryptów automatycznej konfiguracji serwera Proxy”) about it was published in an academic diary [http://yadda.icm.edu.pl/baztech/element/bwmeta1.element.baztech-article-BPS3-0014-0073], quoting: “This article describes chosen safety problems of the DNS based WPAD protocol and the anticipation of utilizing this protocol with Proxy Auto-configuration scripts for web traffic filtration, peculiarly HITP, HITPS and FTP filtering. Moreover, a concept of unconventional application of the combination of WPAD and Proxy Auto-configuration based service is presented (WPADblock project). WPADblock allows, inter alia, monitoring and blocking of global attacks carried out by automated web worms”, with keywords: “web traffic filtration, WPAD protocol, PAC scripts”.

The author of WPADblock task confirmed that our analysis of this task was accurate. Modification of the network traffic was a way to make WPADblock task profitable due to advanced costs of all these domains (which was besides our first conclusion stated in the analysis summary).

In the end we besides received HTTP access logs from almost 2 last months of the wpadblocking.com task activity. In the next section we will present the analysis demonstrating the scale of this endeavour.

WPADblock task / sinkhole HTTP logs analysis

We won’t print complete logs as well as detailed results of the analysis due to the fact that these contain information about entities susceptible to WPAD Name Collision [https://www.us-cert.gov/ncas/alerts/TA16-144A] a.k.a badWPAD attack. nevertheless we can share details with CERT teams specified as national CERT teams liable for a full country or e.g. CERT teams liable for circumstantial CIDRs etc.

Size of all unpacked files:

$ la -lahS | awk '{print $5,$9}'
672M wpad-access.log.39
651M wpad-access.log.45
632M wpad-access.log.46
630M wpad-access.log.32
627M wpad-access.log.38
604M wpad-access.log.37
601M wpad-access.log.25
601M wpad-access.log.51
593M wpad-access.log.49
591M wpad-access.log.52
585M wpad-access.log.21
584M wpad-access.log.13
584M wpad-access.log.12
570M wpad-access.log.20
564M wpad-access.log.44
562M wpad-access.log.11
559M wpad-access.log.50
557M wpad-access.log.26
550M wpad-access.log.43
539M wpad-access.log.19
522M wpad-access.log.42
521M wpad-access.log.31
505M wpad-access.log.10
505M wpad-access.log.28
484M wpad-access.log.24
476M wpad-access.log.36
472M wpad-access.log.27
440M wpad-access.log.35
436M wpad-access.log.7
399M wpad-access.log.18
389M wpad-access.log.40
387M wpad-access.log.17
366M wpad-access.log.41
357M wpad-access.log.14
356M wpad-access.log.6
355M wpad-access.log.23
350M wpad-access.log.22
334M wpad-access.log.48
333M wpad-access.log.33
330M wpad-access.log.4
311M wpad-access.log.30
305M wpad-access.log.29
304M wpad-access.log.8
303M wpad-access.log.47
299M wpad-access.log.34
295M wpad-access.log.9
272M wpad-access.log.16
264M wpad-access.log.15
216M wpad-access.log.3
184M wpad-access.log.1
168M wpad-access.log.5
164M wpad-access.log.2

Total 24G of text logs.

$ wc -l wpad-access.log.*
1220257 wpad-access.log.1
3527469 wpad-access.log.10
3895048 wpad-access.log.11
4063258 wpad-access.log.12
4070406 wpad-access.log.13
2561501 wpad-access.log.14
1880421 wpad-access.log.15
1941719 wpad-access.log.16
2729450 wpad-access.log.17
2833203 wpad-access.log.18
3765082 wpad-access.log.19
1083768 wpad-access.log.2
3982554 wpad-access.log.20
4075257 wpad-access.log.21
2513507 wpad-access.log.22
2519843 wpad-access.log.23
3446635 wpad-access.log.24
4229173 wpad-access.log.25
3920545 wpad-access.log.26
3326856 wpad-access.log.27
3556879 wpad-access.log.28
2183795 wpad-access.log.29
1458127 wpad-access.log.3
2236866 wpad-access.log.30
3667962 wpad-access.log.31
4455480 wpad-access.log.32
2416099 wpad-access.log.33
2185385 wpad-access.log.34
3147413 wpad-access.log.35
3408267 wpad-access.log.36
4251345 wpad-access.log.37
4398548 wpad-access.log.38
4728378 wpad-access.log.39
2168185 wpad-access.log.4
2801614 wpad-access.log.40
2661334 wpad-access.log.41
3709021 wpad-access.log.42
3929191 wpad-access.log.43
3995675 wpad-access.log.44
4563357 wpad-access.log.45
4451700 wpad-access.log.46
2197870 wpad-access.log.47
2413446 wpad-access.log.48
4151353 wpad-access.log.49
1112731 wpad-access.log.5
3951894 wpad-access.log.50
4197551 wpad-access.log.51
4182783 wpad-access.log.52
2396189 wpad-access.log.6
2969032 wpad-access.log.7
2196247 wpad-access.log.8
2133386 wpad-access.log.9
163863055 total

Total 16,3 million HTTP visits related to badWPAD infrastructure were analysed.

HTTP logs from Nginx are in the following format:

log_format enhanced '$remote_addr - $remote_user [$time_local] $host "$request" $status $body_bytes_sent $request_length "$http_referer" "$http_user_agent" $request_time $upstream_response_time';

Time period of the analysis, from first and last log:

12/Mar/2019:06:25:06 +0100
05/May/2019:06:25:12 +0200

54 days with full unique IP addresses in logs:

10041051

Over 10 million unique IPs were targeted by this attack.

Below is the analysis with unique IPs (if not indicated otherwise), top targeted countries:

13057 United States
14651 Republic of Moldova
14966 Colombia
15775 Germany
16176 Croatia
16491 Greece
17973 China
22400 Peru
24018 Ukraine
29176 Slovakia
29893 Mexico
39335 Palestine
41922 Latvia
58338 India
58602 Czechia
64304 Chile
93630 Malaysia
112285 Philippines
213022 Egypt
261275 Taiwan
460626 Poland
493691 Russia
1247718 Argentina
3261149 Brazil
3329534 Italy

Top targeted ASNs (Autonomous strategy Number) from United States:

57 Charter Communications, Inc
64 Sprint
66 Virginia Polytechnic Institute and State Univ.
87 QuadraNet Enterprises LLC
92 Frontier Communications of America, Inc.
95 AVAST Software s.r.o.
97 ZSCALER, INC.
104 Contina
107 T-Mobile USA, Inc.
119 MCI Communications Services, Inc. d/b/a Verizon Business
123 Charter Communications
169 Cox Communications Inc.
177 Leaseweb USA, Inc.
214 CenturyLink Communications, LLC
258 Micfo, LLC.
280 AT&T Services, Inc.
324 iFiber Communications Corp.
326 Cablevision Systems Corp.
332 Charter Communications Inc
478 Hughes Network Systems
545 AT&T Mobility LLC
794 Amazon.com, Inc.
950 Cellco Partnership DBA Verizon Wireless
1267 Comcast Cable Communications, LLC
3939 Mediacom Communications Corp

Top ASNs from Poland:

1209 Wroclaw Centre of Networking and Supercomputing
1210 Echostar Studio Piotr Ziemniewicz Sp. z o.o.
1286 Petrus Spolka z ograniczona odpowiedzialnoscia
1319 Zachodniopomorski Uniwersytet Technologiczny w Szczecinie, Akademickie Centrum Informatyki
1353 Telewizja Kablowa Koszalin sp. z o. o.
1356 University of Technology and Life Sciences Bydgoszcz
1597 Jacek Mruk trading as SAT-MONT-SERVICE Sp. J.
2118 Play
2412 Maria Curie-Sklodowska University
2469 Jerzy Krempa Telpol PPMUE
2572 Mlodziezowa Spoldzielnia Mieszkaniowa
2644 T-Mobile Polska S.A.
2795 East & West Sp. z o.o.
2956 Vectra S.A.
3036 Sat movie Sp. z o.o. i Wspolnicy Sp. k.
3075 Silesian University of Technology, Computer Centre
3080 Institute of Bioorganic Chemistry Polish Academy of Science, Poznan Supercomputing and Network
3275 Nicolaus Copernicus University in Torun
3986 Asta-net S.A.
7468 Polkomtel Sp. z o.o.
9261 Toya sp.z.o.o
45700 Orange Polska Spolka Akcyjna
80688 Multimedia Polska S.A.
97960 Liberty Global B.V.
157234 Netia SA

Netia is besides in top of results (second place) from 2016 [https://www.trendmicro.co.uk/media/misc/wp-badwpad.pdf].

Top ASNs from Russia:

40 CJSC Vainah Telecom
48 Iskratelecom CJSC
64 JSC Eurotelecom
64 Lancom Ltd.
72 Ojsc oao Tattelecom
72 TeleDom Ltd.
77 Closed Joint Stock Company TransTeleCom
79 Net By Net Holding LLC
81 OJS Moscow city telephone network
133 IRONNET Ltd.
142 OJSC Comcor
145 Omskie kabelnye seti Ltd.
149 Electron-Service Ltd.
169 PE Bystrov V.N.
184 PVimpelCom
198 T2 Mobile LLC
340 Teleset LLC
454 MTS PJSC
478 Telecompany Fialka Ltd.
490 Public Joint Stock Company Vimpel-Communications
552 JSC ER-Telecom Holding
612 Multistream Ltd.
644 PJSC MegaFon
4150 PJSC Bashinformsvyaz
482954 Rostelecom

Top ASNs from Argentina:

281 Coop. de Luz y Fuerza Eléct. Industria y Otros Serv. Públicos,Vivienda y Crédito de Punta A
316 CABLETEL SA
339 AMX Argentina S.A.
349 SAN VICENTE CABLE Y TELECOMUNICACIONES SRL
530 Coop. de Obras y Serv. Pub. Ltda. de Rio Tercero
534 Red Intercable Digital S.A.
553 ARLINK S.A.
672 NSS S.A.
702 Gigared S.A.
815 Cooperativa Telefónica de Grand Bourg
959 SAN LUIS CTV S.A.
1107 Movistar Argentina
1199 Davitel S.A.
1271 Techtel LMDS Comunicaciones Interactivas S.A.
1302 Coop. Popular de Elec., Obras y Servicios Pub. de Santa Rosa LTDA
1969 Coop Telefonica Villa Gesell Ltda
3030 TELESISTEMA S.R.L.
3993 BVNET S.A.
4997 Teledifusora S.A.
7274 Telecom Argentina S.A.
12017 Ver tv S.A.
89422 Telecentro S.A.
293132 Telefonica de Argentina
342105 Prima S.A.
473380 CABLEVISION S.A.

Top ASNs from Brazil:

1827 WIIP TELECOM SERVIÇOS DE net LTDA
1935 CLARO S.A.
2039 Click.com telecomunicações ltda-me
2043 Centro Educacional Nossa Senhora Auxiliadora
2112 Predlink Rede de Telecomunicções Ltda
2123 SOARES & AGUIAR LTDA ME
2232 MKM net Solution supplier Ltda
2262 Nova Net Telecomunicações Ltda
2274 Natel Telecom Ltda. - ME
2347 COPEL Telecomunicações S.A.
2375 S. O. do Brasil Telecomunicações LTDA ME
2640 Dez Solucoes em Telecomunicacoes LTDA
2901 Cyber Info Provedor de Acesso LTDA ME
2972 Conecta Minas Telecom LTDA
3620 Silva e Silveira Provedor de net SC Ltda
4194 MICRON LINE SERVICOS DE INFORMATICA LTDA - ME
4231 TPA TELECOMUNICACOES LTDA
7595 Desktop Sigmanet Comunicação Multimídia Ltda
19874 Tim Celular S.A.
23008 Sercomtel Participações S.A.
175399 Brasil Telecom S/A - Filial Distrito Federal
202442 ALGAR TELECOM S/A
217357 Telemar Norte Leste S.A.
263709 Telefonica Data S.A.
2151491 TELEFÔNICA BRASIL S.A

Top ASNs from Italy:

84 Seflow S.N.C. Di Marco Brame' & C.
93 Acantho S.p.a
94 TWT S.p.A.
102 BT Italia S.p.A.
107 M247 Ltd
112 Rp Engineering SAS Di Romano Alessandro & C.s.a.s.
113 Cloudfire s.r.l.
117 COLT Technology Services Group Limited
125 Intred S.p.A.
126 Reti Telematiche Italiane S.p.A. (Retelit S.p.A.)
135 Welcome Italia S.p.A
228 Clouditalia Telecomunicazioni S.p.A.
299 S.r.l.
352 Linkem spa
375 Free Mobile SAS
453 Tiscali SpA
473 Irideos S.p.A.
511 EOLO S.p.A.
516 RAI RadioTelevisione Italiana
636 NewniX S.r.l.
1777 Telecom Italia San Marino S.p.A
3579 Vodafone Italia S.p.A.
27252 Consortium GARR
28386 Fastweb
44154 Wind Tre S.p.A.
3216854 Telecom Italia


$ host -t a wpad.homenet.telecomitalia.it
Host wpad.homenet.telecomitalia.it not found: 3(NXDOMAIN)
$ host -t a wpad.telecomitalia.it
Host wpad.telecomitalia.it not found: 3(NXDOMAIN)
$ host -t a wpad.it
wpad.it has address 144.76.184.43

$ host -t a telecomitalia.it
telecomitalia.it has address 156.54.82.96

The WPAD subdomain can’t be found so following primary DNS suffix devolution it lands on wpad.it.

Top ASNs for all countries:

28386 Italy Fastweb
29961 Taiwan TBC
38138 Latvia SIA Lattelecom
44154 Italy Wind Tre S.p.A.
45700 Poland Orange Polska Spolka Akcyjna
63600 Chile TELEFÓNICA CHILE S.A.
75492 Egypt LINKdotNET
80688 Poland Multimedia Polska S.A.
89422 Argentina Telecentro S.A.
91701 Malaysia TM Net, net Service Provider
97960 Poland Liberty Global B.V.
109422 Philippines Philippine Long Distance telephone Company
137341 Egypt TE-AS
157234 Poland Netia SA
167416 Taiwan Data Communication Business Group
175399 Brazil Brasil Telecom S/A - Filial Distrito Federal
202442 Brazil ALGAR TELECOM S/A
217357 Brazil Telemar Norte Leste S.A.
263709 Brazil Telefonica Data S.A.
293132 Argentina Telefonica de Argentina
342105 Argentina Prima S.A.
473380 Argentina CABLEVISION S.A.
482954 Russia Rostelecom
2151491 Brazil TELEFÔNICA BRASIL S.A
3216854 Italy Telecom Italia

Top “User-Agent” header for all countries:

97329 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
98300 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.75 Safari/537.36
102281 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Valve Steam Client Safari/537.36
109562 SeaPort/3.0
109615 Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36 Avastium (19.3.3084)
111237 Mozilla/4.0 (compatible; MSIE 7.0; Win32)
115215 CFNetworkAgent (unknown version) CFNetwork/978.0.7 Darwin/18.5.0
117457 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/19.10.20091 Chrome/64.0.3282.119 Safari/537.36
131686 Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) QtWebEngine/5.11.0 Chrome/65.0.3325.151 Safari/537.36
131817 User
132607 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36
133192 Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
140141 Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.3.2987.1601 Safari/537.36 Avastium (19.2.2364)
141151 networkd (unknown version) CFNetwork/758.5.3 Darwin/15.6.0
142327 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 CanvasFrame/1.3.1.3 Safari/537.36 FacebookCanvasDesktop [FBAN/GamesWindowsDesktopApp; FBAV/1.3.1.3]
156222 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
162246 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
172761 CFNetworkAgent (unknown version) CFNetwork/976 Darwin/18.2.0
181623 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 CanvasFrame/1.4.1.* Safari/537.36 FacebookCanvasDesktop [FBAN/GamesWindowsDesktopApp; FBAV/1.4.1.*]
191158 Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
198141 Mozilla/5.0 (compatible; MSIE 10.0; Win64; Trident/6.0)
200942 Microsoft-CryptoAPI/5.131.2600.2180
212065 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/19.10.20064 Chrome/64.0.3282.119 Safari/537.36
240533 Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
248273 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
250947 SeaPort/3.1
254925 Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 CanvasFrame/1.4.6373.26636 Safari/537.36 FacebookCanvasDesktop [FBAN/GamesWindowsDesktopApp; FBAV/1.4.6373.26636]
279313
283382 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
291523 Microsoft-CryptoAPI/5.131.2600.5512
346126 Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.3.2987.1601 Safari/537.36 Avastium (19.3.2369)
351669 Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
443603 Mozilla/5.0 (compatible; MSIE 10.0; Win32; Trident/6.0)
471717 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
501267 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
512202 Mozilla/5.0 (compatible; MSIE 9.0; Win32; Trident/5.0)
530005 WININET Download
722315 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
1006514 Kaspersky Proxy-Server detection agent
1009966 Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)
1012636 Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
1033354 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
1119997 Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
1133229 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
1491948 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
9861159 WinHttp-Autoproxy-Service/5.1
10821095 Mozilla/5.0 (compatible; i.e. 11.0; Win32; Trident/7.0)
26586046 -
39564825 Mozilla/5.0 (compatible; i.e. 11.0; Win64; Trident/7.0)
51916617 avast! Antivirus

Top “User-Agent” header without “Mozilla”:

8036 Java/1.8.0_151
8178 CFNetworkAgent (unknown version) CFNetwork/975.0.3 Darwin/18.2.0 (x86_64)
8991 webex utiltp
9686 locationd/2101.0.63 CFNetwork/811.5.4 Darwin/16.7.0
10324 MpCommunication
10566 \xE5\x85\xA8\xE6\xB0\x91K\xE6\xAD\x8C 6.1.7 rv:251 (iPhone; iOS 10.2.1; zh_CN)
10594 QNBAutomatic 1.0 rv:1 (iPhone; iOS 10.3.3; zh_CN)
10925 CFNetworkAgent (unknown version) CFNetwork/897.15 Darwin/17.5.0
11174 com.apple.WebKit.Networking/8603.3.8 CFNetwork/811.5.4 Darwin/16.7.0
11244 Sophos strategy Protection/1.0
11416 Avast Emergency Update Agent
11604 apsd (unknown version) CFNetwork/811.5.4 Darwin/16.7.0
13549 Avira
14710 Microsoft-WebDAV-MiniRedir/6.2.9200
15098 Updaterpre 1.3.204
15505 kugou/8.8.0.10 CFNetwork/808.3 Darwin/16.3.0
15514 Java/1.8.0_40
15684 Python-urllib/3.6
15857 DavClnt
16872 App Virt Client/1.0
17352 NSPlayer/11.0.5721.5251
17386 SXL/3.1
19607 CFNetworkAgent (unknown version) CFNetwork/978.0.7 Darwin/18.5.0 (x86_64)
20434 Microsoft-WebDAV-MiniRedir/6.3.9600
23394 Microsoft BITS/6.7
27094 geod/1 CFNetwork/811.5.4 Darwin/16.7.0
31111 lmi/1.0.0.1 (1100b00-1db00106)
33757 CFNetworkAgent (unknown version) CFNetwork/976 Darwin/18.2.0 (x86_64)
34293 Windows-Update-Agent/7.9.9600.19164 Client-Protocol/1.21
38145 Microsoft-WebDAV-MiniRedir/10.0.14393
42852 MSDW
46364 System.Net.AutoWebProxyScriptEngine/2.0.50727.5420
51430 CFNetworkAgent (unknown version) CFNetwork/902.2 Darwin/17.7.0
53947 Qt strategy Proxy access/1.0
63008 Windows-Update-Agent
81138 Microsoft NCSI
109562 SeaPort/3.0
115215 CFNetworkAgent (unknown version) CFNetwork/978.0.7 Darwin/18.5.0
131817 User
141151 networkd (unknown version) CFNetwork/758.5.3 Darwin/15.6.0
172761 CFNetworkAgent (unknown version) CFNetwork/976 Darwin/18.2.0
200942 Microsoft-CryptoAPI/5.131.2600.2180
250947 SeaPort/3.1
279313
291523 Microsoft-CryptoAPI/5.131.2600.5512
530005 WININET Download
1006514 Kaspersky Proxy-Server detection agent
9861159 WinHttp-Autoproxy-Service/5.1
26586046 -
51916617 avast! Antivirus

Top “User-Agent” header with “Windows” and without “Mozilla”:

85 CEF3.3538.1852.win64/QCefView 1.0 (Windows; en-us) wondershare_filmora_win
89 Windows Installer
90 Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4549; Pro)
93 Microsoft Office/14.0 (Windows NT 5.1; Microsoft Outlook 14.0.7177; Pro)
94 ipla/382 (Windows NT 6.2)
96 Minecraft Launcher/2.1.2481 (bcb98e4a63) Windows (6.2; x86_64)
97 Microsoft Office 2014 (16.0.10730) Windows NT 6.2
98 Microsoft Office/16.0 (Windows NT 6.2; 16.0.10730; Pro)
104 LiveSlides/1.6.12.0 Office/16.0 (Microsoft Windows 10 Enterprise 6.2.9200.0) CefSharp/43.0.0.0 Cef/r3.2357.1287.g861c26e Chromium/43.0.2357.130
105 Minecraft Launcher/2.1.3674 (fafa322bd0) Windows (6.3; x86_64)
117 ipla/385 (Windows NT 5.1)
120 Microsoft Office/12.0 (Windows NT 5.1; Microsoft Office Outlook 12.0.6554; Pro)
122 ipla/382 (Windows NT 6.1)
147 Windows-Update-Agent/7.9.9600.17031 Client-Protocol/1.20
157 QNAP Qsync for Windows 4.2.1
161 ipla/384 (Windows NT 6.1)
162 Huajiao PC Client/1.0 (Windows NT 6.1; WOW64) Chrome/45.0.2454.101
173 Microsoft Office/14.0 (Windows NT 5.1; Microsoft Outlook 14.0.7015; Pro)
183 Microsoft Office/12.0 (Windows NT 5.1; Microsoft Office Outlook 12.0.6785; Pro)
189 Microsoft Office/14.0 (Windows NT 5.1; Microsoft Outlook 14.0.4760; Pro)
225 Huajiao PC Client/1.0 (Windows NT 5.1) Chrome/45.0.2454.101
233 Microsoft Office/14.0 (Windows NT 5.1; Microsoft Outlook 14.0.6106; Pro)
237 ipla/382 (Windows NT 6.3)
258 Windows-Update-Agent/7.9.9600.18235 Client-Protocol/1.21
270 EAGLE/9.1.3 (Windows_10; pl)
287 Minecraft Launcher/2.1.2481 (bcb98e4a63) Windows (6.3; x86_64)
365 ipla/385 (Windows NT 6.0)
384 Microsoft Office/16.0 (Windows NT 6.3; Microsoft Word 16.0.10730; Pro)
553 ipla/384 (Windows NT 10.0)
682 Minecraft Launcher/2.1.2481 (bcb98e4a63) Windows (6.1; x86_64)
727 Microsoft Office 2014 (16.0.8827) Windows NT 6.3
727 Microsoft Office/16.0 (Windows NT 6.3; 16.0.8827; Pro)
796 Minecraft Launcher/2.1.3674 (fafa322bd0) Windows (6.1; x86_64)
841 Microsoft Office 2014 (16.0.11425) Windows NT 6.3
848 Windows-Update-Agent/7.9.9600.17489 Client-Protocol/1.21
1118 Microsoft SkyDriveSync (6.3.9600.17484) ship; Windows NT 6.3 (9600)
1177 Microsoft Office/14.0 (Windows NT 5.1; Microsoft Outlook 14.0.6023; Pro)
1206 Windows-Update-Agent/7.9.9600.17729 Client-Protocol/1.21
1372 Microsoft Office 2014 (16.0.11328) Windows NT 6.3
1468 Minecraft Launcher/2.1.3674 (fafa322bd0) Windows (10.0; x86_64)
1558 Microsoft Office 2014 (16.0.10730) Windows NT 6.3
1688 Microsoft Office/12.0 (Windows NT 5.1; Microsoft Office Outlook 12.0.4518; Pro)
2288 Microsoft Office/16.0 (Windows NT 6.3; 16.0.10730; Pro)
2291 ipla/385 (Windows NT 6.3)
2767 ipla/385 (Windows NT 10.0)
3009 Minecraft Launcher/2.1.2481 (bcb98e4a63) Windows (10.0; x86_64)
3068 Microsoft SkyDriveSync (6.3.9600.17416) ship; Windows NT 6.3 (9600)
5325 ipla/385 (Windows NT 6.1)
34293 Windows-Update-Agent/7.9.9600.19164 Client-Protocol/1.21
63008 Windows-Update-Agent

From all requests, number of Windows systems based on “User-Agent” header and “Mozilla”:

10 98
14 10 x86_64
22 NT 4.0
32 Vista 6.0
38 7 6.1
66 XP WOW64
74 2003 5.2
147 NT 4.10
193 Vista 6.1
207 NT 6.2.0
213 NT 6.1.0
712 XP 5.1
735 7 WOW64
1354 NT 5.0
1492 98 Win
6326 NT 6.3.0
19027 NT 6.1.1
75689 NT 10.0.0
99560 NT 5.2
322577 NT 6.0
598886 NT 6.2
1341742 NT 5.1
2326879 NT 6.3
5118340 NT 6.1
6889248 NT 10.0

From all requests, number of Office software based on “User-Agent” header and “Microsoft Office”:

47 15.0
1883 14.0
2050 12.0
3790 16.0
8043 2014

Example header “User-Agent” with “Minecraft”:

[05/May/2019:09:00:01 +0200] wpad "GET /wpad.dat HTTP/1.1" 200 505 204 "-" "Minecraft Launcher/2.1.2481 (bcb98e4a63) Windows (10.0; x86_64)"
[05/May/2019:09:00:03 +0200] wpad "GET /wpad.dat HTTP/1.1" 200 505 204 "-" "Minecraft Launcher/2.1.2481 (bcb98e4a63) Windows (10.0; x86_64)"
[05/May/2019:09:09:47 +0200] wpad "GET /wpad.dat HTTP/1.1" 200 505 204 "-" "Minecraft Launcher/2.1.3674 (fafa322bd0) Windows (10.0; x86_64)"
[05/May/2019:09:40:49 +0200] wpad "GET /wpad.dat HTTP/1.1" 200 505 204 "-" "Minecraft Launcher/2.1.3674 (fafa322bd0) Windows (10.0; x86_64)"
[05/May/2019:10:07:47 +0200] wpad "GET /wpad.dat HTTP/1.1" 200 505 204 "-" "Minecraft Launcher/2.1.3674 (fafa322bd0) Windows (10.0; x86_64)"

Top requests to a resource:

21256 GET /wpad.dat?Type=WMT HTTP/1.1
440410 GET /wpad.dat HTTP/1.0
163397324 GET /wpad.dat HTTP/1.1

Type=WMT” is simply a request made by Windows Media Player.

There is besides an interesting request from China:

[29/Mar/2019:17:02:11 +0100] wpad "GET /wpad.dat?app=ebank&o=i HTTP/1.1" 200 488 354 "-" "bankabc 3.8.6 rv:3.8.7 (iPhone; iPhone OS 9.3.2; zh_CN)"

Number of full requested HTTP “Host” header (destination IP address was always 144.76.184.43):

1 1.1.1.12
1 1.1.1.13
1 1.1.1.15
1 1.1.1.23
1 1.1.1.3
1 1.1.1.8
1 wpad.com.co
1 wpad.home
1 wpad.info.localdomain
1 wpad.wpad.zone
1 www.wpad.cz
2 1.1.1.4
2 1.1.1.7
2 0064:ff9b:0000:0000:0000:0000:904c:b82b
2 fd00:0000:0011:0013:0000:0000:904c:b82b
2 wpad.it.localdomain
2 www.wpad.pl
3 1.1.1.11
3 2607:7700:0:20:0:1:904c:b82b
3 wpad.net
4 1.1.1.6
4 2a01:4f8:200:622a::2
4 wpad.slask.pl
5 wpad.radom.pl
5 www.wpadblock.com
9 1.1.1.5
12 2404:160:0:f:0:2:904c:b82b
12 fd00:0:11:13::904c:b82b
12 (internal domain of the victim's organization)
15 (internal domain of the victim's organization)
15 (internal domain of the victim's organization)
18 2404:160:0:f:0:1:904c:b82b
18 _
19 fd00:0:12:13::904c:b82b
19 wpad.warszawa.pl
22 wpad.org.es
26 wpad.rzeszow.pl
84 wpad.opole.pl
135 127.8.0.2
168 (internal domain of the victim's organization)
237 wpad.olsztyn.pl
324 wpad.zgora.pl
521 wpad.wroclaw.pl
566 wpad.info.pl
679 wpad.me.uk
784 wpad.msk.ru
784 wpad.x50
1000 wpad.org.pl
1055 wpad.biz.pl
1092 wpad.bialystok.pl
1407 127.0.0.1
1494 127.8.0.1
1748 64:ff9b::904c:b82b
2399 wpad.katowice.pl
2712 wpad.domains
2861 wpad.localdomain
3078 wpad.eu.org
3086 wpad.com.es
3167 wpad.szczecin.pl
4756 wpad.ltd
10106 wpad.bydgoszcz.pl
19330 wpad.systems
20919 wpad.zone
21063 wpad.gr
23100 wpad.plus
24343 wpad.org.cn
27746 wpad.direct
29519 wpad.ee
30381 wpad.kiev.ua
33255 wpad.ws
36253 wpad.waw.pl
44382 wpad.co
47732 wpad.tw
49033 wpad.net.cn
58087 wpad.net.pl
64488 wpad.cz
88062 wpad.edu.pl
124983 wpad.vip
132536 wpad.hr
133433 wpad.net.ar
157040 wpad.lv
182913 wpad.info
200364 wpad.sk
201483 wpad.cat
202547 wpad.com.ua
257260 wpad.net.br
264516 wpad.im
346419 wpad.name
408975 wpad.xxx
562700 wpad.live
696839 wpad.pro
762658 wpad.computer
869726 wpad.cc
976290 wpad.group
1255850 wpad.tv
1424599 wpad.network
2439283 wpad.com.ar
4637745 wpad.it
4832213 wpad.com.tw
6587573 wpad.com.pl
20521150 wpad
29181884 wpad.pl
85839883 144.76.184.43

Analysis was based mainly on unique IPs but let’s remember that behind any IP there can be a lot more computers, as usually machines in LAN are hidden behind a single or respective distant IPs – sometimes it is visible as multiple different “User-Agent” headers per single IP address. due to this the actual number is simply a lot higher than the 10 millions of unique IPs mentioned before. For example in any Airport case there is simply a single IP but 13 different “User-Agent” headers:

1 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Spotify/1.1.2.285 Safari/537.36
3 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/19.10.20091 Chrome/64.0.3282.119 Safari/537.36
3 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36
23 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
23 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
24 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/19.10.20099 Chrome/64.0.3282.119 Safari/537.36
27 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Skype/8.34.0.78 Chrome/61.0.3163.100 Electron/2.0.11 Safari/537.36
31 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
88 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/19.10.20091 Chrome/64.0.3282.119 Safari/537.36
90 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36
171 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
241 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
333 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36

It can besides be noted that there are UAs of Spotify and Skype so it is hard to make a precise calculation without deep manual investigation for each different case.

Summary

After 10 years of badWPAD attacks coming from at least this 63 wpad.* TLDs domains we were able to aid with sinkholing them in just 3 days after our first blog post about this case where we suggested that it should be sinkholed ASAP, quote: “All of this proves that specified domains should be sinkholed as shortly as possible by CERT teams that have jurisdiction over these resources (TLDs, IP address etc)” [https://blog.redteam.pl/2019/05/badwpad-dns-suffix-wpad-wpadblocking-com.html].

It is worth to mention that the owner of wpadblocking.com task passed over domains to CERT teams and shared logs with us just after our investigation and publications – in fact no 1 forced him to do this. This is terrifying due to the fact that a single individual had possible ability to infect dozens of millions computers in a short time (based on the above analysis). delight besides remember our quote from the first blog post about this case: “But it doesn’t give any warranty that it will not service any malicious content in the future or will change the content for short period of time, or even service this e.g. to clients of a single ISP, CIDR etc. If a malicious actor knows that e.g. any ISP is utilizing search domain “pl” then he can service malicious content just for their ASN, and everyone else will get a non malicious script. This approach will minimize the hazard of detecting specified threat” and “Please keep in head that this server can be besides just hacked any time or domain wpadblock.com can be taken over etc – then this infrastructure can start service malicious content too, which can lead to massive infection” [https://blog.redteam.pl/2019/05/badwpad-dns-suffix-wpad-wpadblocking-com.html].

In justified cases to contact REDTEAM.PL for more detailed information about the case you can find our email addresses on our company website [https://redteam.pl/en/#contact].

References

Acknowledgment

Idź do oryginalnego materiału