My next class:

APIs Used by Bots to Detect Public IP address

Published: 2023-02-06. Last Updated: 2023-02-06 16:22:38 UTC
by Johannes Ullrich (Version: 1)
7 comment(s)

Many of the bots I am observing attempt to detect the infected system's public ("WAN") IP address. Most of these systems are assumed to be behind NAT. To detect the external IP address, these bots use various public APIs. It may be helpful to detect these requests. Many use unique host names. This will make detecting the request in DNS logs easy even if TLS is not intercepted.

Note that there is useful software using these APIs. Do not just block them. But keeping an eye on who is sending these requests can be useful

Here are a few I remember seeing. The list I have seen isn't very long, making it easy to detect. Let me know if there are others:

  • http://ip-api.com/json/
  • http://api64.ipify.org
  • http://api.ipify.org
  • https://ip.seeip.org
  • http://checkip.dyndns.org
  • https://ipapi.co/ip/

Some of these APIs will block commonly abused user agents like 'curl' or 'pylib.' This will block many of the common bots from using the specific APIs (and they typically do not bother to specify a user agent but instead use a different API without restrictions).

There are some other websites that malware could use with a bit of screen scraping, but I have not seen malware use them. And as you are looking through your logs: Requests for "wanipcn.xml" are not related to looking up the WAN IP address. These requests attempt to exploit an older Realtek SDK vulnerability. 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

7 comment(s)
My next class:

Comments

So while you wouldn't block them you would advocate monitoring them. What would be your next step once you identify an internal source?
Another DNS name to add to the list:

ip-info.ff.avast.com

Interestingly, CAPE Sandbox has a signature for this: https://www.capesandbox.com/analysis/360850/
@JC : Nuke the entire site from orbit. It's the only way to be sure.
One more for the checklist: https://showextip.azurewebsites.net/
Though I can't think of an example piece of malware using it, I'd imagine a lot of innocent sites coding the client IP into initial responses, eg cookies, or Location: redirects with ?& parameters.
ifconfig.io is easy to remember and accessing "https://www.google.com/search?q=what+is+my+ip" with curl (no UA string modifications) you will get a 403 HTTP response with your client IP included :)
Plain text
https://checkip.amazonaws.com

JSON
https://ipinfo.io

Both work with http:// prefix. On 5G connection the output may differ though, depending on how clever your 5G ISP / MTiM is.

ipinfo.io is even shorter than ifconfig.io, but it would normally require a free or paid subscription. For low volumes of requests it will work without API token

Diary Archives