• Do Zombie IPs Host Blacklisted Websites?

    Zombie IPs can be defined as Internet Addresses which participate in bot net communications. When Internet surfers visit websites contaminated with malware, the malicious code often times is successful in infecting the computer of the unsuspecting visitor. Once the malware has installed itself on the personal computer of the Internet surfer, it proceeds to receive commands from a “controller.” This controller machine in many cases a chat group (IRC) or a more sophisticated system.

    At StopTheHacker.com, we have tried to investigate whether there is a correlation between zombie IP addresses (botnet communication sources) and blacklisted websites. If there is a strong correlation, then it points to a disturbing trend that servers used to host websites, are infected at two levels. The websites themselves are infected and there is some kind of botnet malware hosted on those servers as well.

    The Gumblar variety of infections have targeted web sites by installing malicious binaries on end-user clients and then sniffing through for FTP credentials to inject sites with malicious code. This experiment provides a preliminary look into whether these kinds of malware are just targeting sites and are also creating botnets using the infected machines.

    Experiment Setup

    We have examined 178 CIDR IP address ranges obtained from SpamHaus. The entire IP address space covered 1,508,096 IP addresses. Out of these, a random sample of 1,600 IP addresses were chosen. Subsequently, we made attempts to determine the websites hosted on each IP address and check them with the Google Safebrowsing list. The experiment was conducted on January 11, 2010.

    Experiment Summary

      Results in brief:

    • The majority of zombie IPs do not seem to host any blacklisted websites.
    • Only 0.5% IPs seemed to host a website, none of which were present in the Google blacklist.

    This is an indicator that zombie IPs do not usually host blacklisted websites. It seems that malware installs itself stealthily on end-clients and sniffs for ftp credentials, and does not really try to join the host machine with the botnet. This could be due to a concern that creating/joining a botnet increases the chances of the malware being detected on the host. However, given the robust and increasingly related cycle of cyber-crime that proliferates the Internet, this trend may change soon. We will be keeping a close eye on this trend, and expect to publish more results as a follow up to this initial experiment.

    Below we present a list of IPs known to be active on zombie blacklists and also hosting websites.

    IP
    67.218.215.44
    91.213.126.200
    91.213.126.70
    72.2.180.97
    196.1.184.81
    91.211.224.76
    91.211.224.135
    208.84.102.4
    204.86.116.6
    91.205.41.160