Page 1 of 2 12 LastLast
Results 1 to 10 of 19
  1. #1
    Untanglit
    Join Date
    Sep 2018
    Posts
    25

    Default Malware Distribution Site "http://dc.ct-scout.net/"

    On a network that had a pretty bad worm/Trojan infection, untangle is reporting quite a few PCs being blocked for Malware Distribution site of "http://dc.ct-scout.net/". Whenever I try to google this, I get nothing, or stuff about medical CT scans. Has anyone seen this, or know how I can dig into it further?

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,296

    Default

    https://tools.zvelo.com/

    Site in question is listed as Illegal Content, Not Brand Safe, Malicious, and objectionable.

    ct-scout.net is using a Godaddy Park page.

    dc.ct-scout.net resolves to 184.168.221.44, and reports 395,223 other websites... I think it's safe to say this mess is in Godaddy's shared web farm, and yes... it's a problem. So WebFilter is doing its job, and you have infected systems on your LAN that need cleaned.

    What's your question?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untanglit
    Join Date
    Sep 2018
    Posts
    25

    Default

    Thank you for replying quickly.

    At least a couple of the machines reported by Untangle to be hitting this URL have scanned clean, even with an offline (*nix-based) boot scan/clean such as Norton boot recovery disk.

    Untangle and Google DNS resolve that FQDN to 167.160.91.10, not the 184 listed below. ARIN lookup shows the 167 IP is direct assigned to US Dedicated, which appears to be a legit dedicated server hosting company. That said, it does appear GoDaddy is where the ct-scout.net domain registration and DNS SOA is parked. The 167 IP returns no PTR lookup, which could be consistent with a shared hosting.

    My main question is has anyone experienced this particular malware URL and/or know what infection(s) it's typically associated with? The combination of not finding anything on Google about this domain/URL despite it being clearly blacklisted by ZVelo, plus some machines scanning clean when windows is offline, have me wanting to confirm this is a legit concern. It seems like it's either a false alarm, or an extremely sophisticated attack.


    Quote Originally Posted by sky-knight View Post
    https://tools.zvelo.com/

    Site in question is listed as Illegal Content, Not Brand Safe, Malicious, and objectionable.

    ct-scout.net is using a Godaddy Park page.

    dc.ct-scout.net resolves to 184.168.221.44, and reports 395,223 other websites... I think it's safe to say this mess is in Godaddy's shared web farm, and yes... it's a problem. So WebFilter is doing its job, and you have infected systems on your LAN that need cleaned.

    What's your question?

  4. #4
    Master Untangler
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    658

    Default

    I've not seen that URL on either of the networks I monitor.

    That URL is an interesting case.
    Screenshot-2019-1-17 Dc ct-scout net Safe Check it Now URLVoid.png

    "Nothing Found" stretches to the bottom of the list.

    Or
    Screenshot-2019-1-17 Sucuri Security.png

    And yet, since the network has been infected before and if there is no other reasonable explanation for the blacklisting or for why there are machines and/or users attempting that URL, maybe it's not a false positive? It's currently hard to be confident either way, though there appears to be no compelling evidence yet of something malicious hosted there.
    Last edited by Sam Graf; 01-17-2019 at 07:56 AM.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,296

    Default

    It's far less interesting when you realize that Godaddy's shared web hosting platform has been breached, and they aren't cleaning it up. The merge with Sucuri resulted in some less than ideal outcomes. The hackers seeking to SEO hijack or deface your site do not need your credentials to breach the system. I know, because I've proven it... year long nightmare... Godaddy level 3 management involved...

    Honestly I'm surprised any black list hasn't just walled off the entire cluster yet.

    Furthermore, Emotet... Emotet laughs at your puny scanners and tells you to get out Autoruns and learn how to read. Though on a rather humorous note, I found an Emotet sample this week that registered itself as a service, and the filename was catchme.sys. I'm going to be giggling about that one for awhile... but the same machine had two more Emotet samples registered as services named very much like Quickbooks services, and the exe files were actually located IN the Quickbooks folder.

    Which means, in this day and age, you'll never be certain a machine is clean. If it ever had a virus on it, paving it is literally the only sure way forward anymore. And Emotet, in the current generation is capable of brute forcing an admin password, elevating itself, then brute forcing the domain admin password, and not only transferring itself over the admin shares to other stations, but servers as well and will use those admin credentials to perform a remote execution command.

    Have you done a format C: for an entire network yet? One that can be required again as soon as a user opens the wrong PDF? Welcome, to the world of Emotet.

    P.S. The above samples were gathered after scanning the machine with Dr. Web, Eset Online Scanner, Malwarebytes, AND Windows Defender via an uninfected system. Clean scans, mean... bupkis. It's like XP all over again...
    Last edited by sky-knight; 01-17-2019 at 08:42 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Master Untangler
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    658

    Default

    I wasn't clear. The interesting thing about this URL (though surely not just this URL) is the paucity and ambiguity if not the outright inconsistency of the available information. Untangle tells us nothing about the actual threat, nor does anybody else. You can't actually scan the site (all the scanners I tried were blocked) so this blacklisting is about something else. So from an adminstrator's point of view, it's interesting I should think. How does one nail down the actual threat? How does one evaluate the reputation problem?

    In other words, just declaring the results of the whole malware detection toolset bupkis is sort of a disincentive to rely on Zvelo's protection all that much. To me, that's an interesting problem.
    ntguru likes this.

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,296

    Default

    Oh I see what you mean...

    Yeah from that angle the only thing I can think of is this might just be exactly what I was suggesting might happen. Consistent abuse detected from that cluster has resulted in an overly vague, over matching block.

    It's also possible it was picked up by an autocategorization thing at some point while exploited, the domains have been pulled offline since, and they're still on the list because the automation blew up.

    Given that http requests to that URL result in a connection reset, it is technically a miscatigorization. To have a category we have to have content, this URL has no content. The domain seems to be actually owned by Godaddy as well, which might be a result of them taking ownership to stop a problem.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untanglit
    Join Date
    Sep 2018
    Posts
    25

    Default

    Yes to what Sam Graf was saying. Usually if something as widespread as Emotet or its traveling companions is using a FQDN for C&C, you'd expect to see stuff all over Google about it. So I'm trying to tell what particular malware might be involved.

  9. #9
    Master Untangler
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    658

    Default

    I think there may be merit to sky-night’s comments to the end that this may be a (recently?) stale categorization; the threat is past.

    To me, the most suspicious thing about this URL at the moment remains why there would be any outbound traffic to it at all. It makes no clear sense given the information available about it. And even if the site could be associated with a single piece of malware, that wouldn’t prove that the cause of the outbound traffic was that piece.

  10. #10
    Untanglit
    Join Date
    Sep 2018
    Posts
    25

    Default

    I agree that there doesn't appear to be anything relevant (malicious or otherwise) going on at the URL now. Obviously, it's still useful to be classified as malicious by Untangle because it could identify infections even if they're no longer able to phone home. Of course, it's also possible that that URL is only one of many C&C it tries to phone home to and that Untangle isn't catching the others.

    Some of the internal hosts trying the ct-scout.net (and also ct-scout.com) URL have also tried other, more apparently malicious URLs. Additionally, some of the machines hitting the ct-scout have been reimaged and thus far are not showing that activity any more (at least, so far).

    So my conclusion is that there was *something* on these machines. It's possible the original infection was cleaned in the original sweep but some secondary piece, perhaps a bot designed to rack up advertising or traffic rankings (ie, malicious/unwanted, but not in the same way Emotet is), wasn't cleaned in the original sweep. Or even, is this some "toolbar-ware" that was unrelated to the infection but that users like to install? Unfortunately, the client only approved installing Untangle in response to the original massive infection, so we have no previous baseline. The real question still remains -- what, and how malicious/concerning?

    Quote Originally Posted by Sam Graf View Post
    I think there may be merit to sky-night’s comments to the end that this may be a (recently?) stale categorization; the threat is past.

    To me, the most suspicious thing about this URL at the moment remains why there would be any outbound traffic to it at all. It makes no clear sense given the information available about it. And even if the site could be associated with a single piece of malware, that wouldn’t prove that the cause of the outbound traffic was that piece.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2