Maxmind.com (Ab)used As Anti-Analysis Technique, (Thu, Sep 1st)

A long time ago I wrote a diary[1] about malware samples which use online geolocalization services. Such services are used to target only specific victims. If the malware detects that it is executed from a specific area, it just stops. This has been seen in Russian malware"> $ wget https://www.maxmind.com/geoip/v2.1/city/me--2016-09-01 07:45:41-- https://www.maxmind.com/geoip/v2.1/city/meResolving www.maxmind.com (www.maxmind.com)... 2400:cb00:2048:1::6810:262f, 2400:cb00:2048:1::6810:252f, 104.16.38.47, ...Connecting to www.maxmind.com (www.maxmind.com)|2400:cb00:2048:1::6810:262f|:443... connected.HTTP request sent, awaiting response... 401 Unauthorized"> $ wget -O whereami.txt --referer=https://www.maxmind.com/en/locate-my-ip-address https://www.maxmind.com/geoip/v2.1/city/me--2016-09-01 07:47:11-- https://www.maxmind.com/geoip/v2.1/city/meResolving www.maxmind.com (www.maxmind.com)... 2400:cb00:2048:1::6810:262f, 2400:cb00:2048:1::6810:252f, 104.16.38.47, ...Connecting to www.maxmind.com (www.maxmind.com)|2400:cb00:2048:1::6810:262f|:443... connected.HTTP request sent, awaiting response... 200 OKLength: 1214 (1.2K) [application/vnd.maxmind.com-city+json]Saving to: whereami.txtwhere-am-i.txt 100%[==========================================================] 1.19K --.-KB/s in 0s2016-09-01 07:49:08 (17.1 MB/s) - where-am-i.txt saved [1214/1214]$ cat whereami.txt{country:{names:{pt-BR:Blgica,de:Belgien,en:Belgium,ja:,es:Blgica, \zh-CN:,ru:,fr:Belgique},geoname_id:2802361,iso_code:BE},location \{time_zone:Europe/Brussels,accuracy_radius:100,longitude:4.3333,latitude:50.6},traits: \{autonomous_system_organization:BELGACOM-SKYNET-AS,ip_address:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx, \isp:Belgacom-skynet-as, organization:Belgacom-skynet-as,autonomous_system_number:5432},city: \{geoname_id:2790101,names:{en:Nivelles,de:Nivelles,ru:,zh-CN:, \fr:Nivelles}},postal:{code:1400},subdivisions:[{geoname_id:3337387, \names:{pt-BR: Valnia,fr:Wallonie,es:Valonia,en:Wallonia,de:Wallonische Region}, \iso_code:WAL},{iso_code:WBR,geoname_id:3333251,names:{pt-BR:Brabante Valo, \en:Walloon Brabant Province,de:Provinz Wallonisch-Brabant,es:Brabant Wallonie, \fr:Brabant Wallon}}],continent:{code:EU,names:{pt-BR:Europa,en:Europe, \de:Europa,ja:,es:Europa,fr:Europe,zh-CN:,ru:}, \geoname_id:6255148}}

You can see that its possible to locate me but also it reports informationlike the AS and the organization/ISP. Interesting strings like AV vendor names are searched by the malware but not only. If the network name contains strings like Data Center, VPS, Hosting or Shared, they are chances that the host running the malware is not an endpoint device.

If youre performing research or investigations, always use a dedicated xDSL or cable connection!

[1]https://isc.sans.edu/forums/diary/Victim+of+its+own+success+and+abused+by+malwares/20311/
[2]https://blogs.mcafee.com/mcafee-labs/macro-malware-adds-tricks-uses-maxmind-to-avoid-detection/
[3]https://www.maxmind.com/en/geoip2-services-and-databases

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.