Publicly available threat intelligence sources strive to warn the public about dangerous web properties they need to stay away from so they don’t run the risk of compromise at home and at work. The data such sites provide is not the end of the road, though, it is more of a starting point.
Take a list of the IP addresses in the Feodo Botnet Command-and-Control (C&C) IP Blocklist as an example. Instead of just blocking access to and from the said IP addresses, organizations and individuals alike can take security up a notch by digging deeper with tools like https://reverse-ip.whoisxmlapi.com/overview to check DNS history and possibly discover more potential threat sources to steer clear of.
WhoisXML API published an interesting article on some of the best uses of DNS history checkers for cybersecurity. This post seeks to show DNS history checkers at work using the 99 IP addresses in Feodo’s list.
DNS History Checking for Better Cybersecurity
Of the 99 IP addresses, 93 are tagged “malicious” on VirusTotal. A check of the botnet C&C IP addresses’ DNS history using a reverse IP/DNS lookup tool provided a list of 567 connected domains. A total of 54 of the 99 IP addresses, in particular, resolved to the aforementioned 567 domains (see Chart 1 below for their distribution).
Chart 1: Botnet C&C IP addresses and the domains they resolved to based on their DNS history
A bulk IP geolocation lookup for the 99 IP addresses gave us the following details for 98 of them that can help organizations improve their cybersecurity posture:
- A majority of them (19 IP addresses) were geographically located in the U.S. The rest were spread out across 30 other countries shown in more detail in Chart 2.
Chart 2: Number of botnet C&C IP addresses per country
- By Autonomous System Number (ASN) type, most of the IP addresses (32) were categorized under “content.” In second and third places are national service provider (NSP) and cable/digital subscriber line (DSL)/Internet service provider (ISP) IP addresses shown in Chart 3.
Chart 3: Number of botnet C&C IP addresses by ASN type
Organizations can check if the ASN type of each IP address matches the routing policy attached to it.
Subjecting the 567 domains to a bulk WHOIS lookup provided us with the following details for 351 of them that may further cyber investigations along:
- An overwhelming majority of the domains (99) are under GoDaddy.com, followed by Network Solutions, LLC (19) and Freeparking Limited and Synergy Wholesale (15). Some 83 domains were split across 24 registrars. A total of 120 domain owners did not indicate their registrars.
If any of the connected domains turn out to be malicious, affected organizations could contact the registrars if they can’t get hold of their actual owners. Some may have been compromised and aren’t necessarily part of threat actors’ infrastructures.
- Most of the domain registrants (88) indicated the U.S. as their country, followed by Canada (27) and Germany (9). Some 48 of them were split across 13 countries shown in Chart 5 below. A total of 179 domain registrants did not indicate their countries.
Chart 4: Number of domains per registrant country
Cybersecurity specialists may find it odd that the geographic locations of the IP addresses and domains don’t exactly match. And should any of the domains get flagged for malicious activity, such a discrepancy may warrant deeper investigation that could lead to more clues.
Looking at an IP address’s DNS history can be a good starting point for any cyber investigation. It can reveal connected domains that could be part of threat actors’ infrastructures or point to the perpetrators themselves.