By: ThreatLabz

Malicious URL’s Using DWORD Formatted IP Addresses

Evasion/Stealth

IP stands for Internet Protocol. An IP address is numerical label assigned to each device on the network and every website has a unique IP addresses to identify the site on the Internet. As an IP address is difficult to remember host/domain names are used and translated to an IP address via DNS. What some people don’t realize is that an IP address can be presented in many formats such as host/domain name, dotted decimal IP address or DWORD format. Most of the browsers are accepting only hostnames and decimal dotted IP addresses and rest of them are ignored nowadays.

 

In our research, we have identified that attackers have started using malicious domains in DWORD format to fool or confuse victims. Here is the example of such malicious URL:

 

hxxp://1539393606/GoogleSearch.class

 

If you look at the above URL, you will see an atypical number instead of a domain name or IP address. But careful, it is actually an IP address which has been converted by the attacker into DWORD format. If you visit above URL, your browser will automatically convert this to a plain IP address. Lately, we have been seeing many malicious URL’s using the DWORD format to hide their actual IP address. The number “1539393606” is actually an IP address which points to “91.193.72.70”. If you visit above URL using browser like Firefox, it will display the URL as “http://91.193.72.70/GoogleSearch.class”.

 

IP to DWORD format

 

To convert an IP address to DWORD, open your calculator in scientific mode. Let’s take the above IP address, which is “91.193.72.70”. Split the IP address into four octets - 91, 193, 72 and 70.

1) Select decimal mode and type 91 in your calculator.
2) Then click on HEX mode. It will give you hex value 5B for first octet. Write that down and do the same for the other three octets.
3) You will ultimately get “5BC14846” for all 4 octets.
4) The string above is in hex format. Select HEX mode in the calculator and copy paste the hex string.
5) Select decimal mode and you will then get “1539393606” which is the DWORD form of the IP address.
6) Type this DWORD in your browser and you will be taken to address “91.193.72.70”.

 
 

Here are some other malicious URL’s we have seen in the wild in DWORD format:

 

hxxp://1496251283/dhj8v.class

 

hxxp://3560666344/options.class

 

Further research shows that these URL’s are exploiting Java vulnerability (CVE-2010-4452) to download malware onto the victim machine.

 

What’s your DWORD form?

 

Umesh

Learn more about Zscaler.