RSA Admin

The Zeros Netblock Indicator of Compromise

Blog Post created by RSA Admin Employee on May 8, 2014

The 0.0.0.0/8 Network Address Range is an IANA reserved netblock that could be used for internal hosts, just like the 10.0.0.0/8 network is often used on corporate networks.  I've been on quite a few corporate networks in my career, and I haven't often seen the Zeros netblock used internally.  But we do see this network destination associated with various malware campaigns.

 

Most recently we have seen a spate of various versions of the "Win32/Fujacks" virus.  Once infected, a machine will make specific calls to Command and Control domains which seem to be temporarily parked in the Zeros netblock.  Two great writeups on this behavior is located at TotalHash.com here and here.  If you look at the domain names, you can see how the current campaign uses various hosts at the nba1001.com domain.  Previously the same malware used NS5000wip.com and before that it used nslook00x.com. 

 

One thing they all have in common is a set of public IP addresses and several private IPs in the zeros netblock.

 

Some APT threat actors have also been known to park domains temporarily in the zeros netblock either between campaigns, or in preparation of a new campaign.

 

In addition, it appears that some anti-malware groups are sinkholing some domains by pointing them to addresses in the zero space. 

 

But if you are not using the zeros netblock internally, you should likely consider any attempts to communicate with that network as a probable indicator of compromise. 

 

A simple rule in Security Analytics (or even firewalls, IPSes, etc!) to alert on connection attempts to this block is:

ip.dst=0.0.0.0/8 and name the rule "Zeros Netblock IOCs"

 

Attached is a PCAP showing this Fujacks worm in action.  You can see how it attempts to spread to other network hosts, as well as how it beacons out to the nba1001 domains.  You can use this PCAP for testing the above rule or for demonstration purposes.  All domains listed in the TotalHash reports had previously been added to the FirstWatch C2 domains feeds to assist customers with detection of this threat.

 

Good luck and Happy Hunting!

Attachments

Outcomes