Antivirus Tracker revisited

Back in October 2009 Antivirus Tracker was released publicly – a website that lists public IP addresses of online sandboxes/analysis systems such as Anubis and ThreatExpert. There have been very divergent perceptions of the publication. The Russian antivirus company Kaspersky and a smaller unimportant Austrian local one both filed lawsuits against Antivirus Tracker (both civil and criminal) – and lost in front of court (and thanks to that we have the legally binding verdict black on white that Antivirus Tracker is legal).

Today the Antivirus Tracker website is run by Kleissner & Associates. We do not agree with and condone security by obscurity (in contrast to some colleagues working at antivirus companies) and do not think that publishing the information of public (!) analysis systems harms their security. Submitting your own samples and URLs on such analysis systems just takes minutes – this is not rocket science and can be done by anyone with little technical knowledge and skills. As mentioned in previous blog posts, all servers and domains of Kleissner & Associates are publicly flagged as such (just check for the who-is information). There is no need for hide and seek in a professional environment.

Approach – laying out the bait, and why we do it

We have now submitted our own “baits” to analysis systems such as URL scanners, online anti-virus scanners, domain checkers and sandboxes. We do this because we want to know all IPs that are used by those analysis systems – so that we can flag potential false positive infections as such. An infection record in Virus Tracker generated by for example ThreatExpert or UrlQuery is not a real genuine infection – and we want to know when that’s the case in order to have a clean data set.

We want to share here our results with the community – you can use it to detect (or block) accesses by such automatic systems. While we were doing the research we actually didn’t just focus on detecting analysis systems but also on detecting search bots (such as Googlebot and and Baiduspider), proxies (including Tor) and other non-antivirus related bots (domain checkers).

All in all to detect and reduce false positive infection records in Virus Tracker we took these approaches for research:

  1. Using a /robots.txt on every of our domains to disallow any search bots
  2. Detecting search bots based on the User Agent
  3. Detecting analysis systems and domain checkers based on many accessed domain by one or few IPs
  4. Same as Antivirus Tracker: Sending out bait URLs and samples and monitoring the incoming connections

Detecting search bots, crawlers, spiders

These are the search bots that we quickly identified in our data set during research. All summarized you can blacklist search bots by just checking the User Agent for containing one of the keywords: bot, virustotalcloud, crawler, slurp, spider, wget/, curl/, urllib/

User Agents

Notable Companies

Websense is probably the biggest company in terms of doing URL scans. We get tons of accesses by them all the time.

DomainTools LLC is directly connected to Name Intelligence, they connect to the web servers to get information like the status code, the title and they also generate a screenshot of the website for their DomainTools service.

TrendMicro, Cisco and UrlVoid are interestingly are the only ones that we found to have IPv6 capabilities for their domain scanners.

Below are all the IPs that we found to be attached to named (known) companies. While we have now a quite comprehensive list, there are definitely more IPs being used by such analysis systems (this is obviously not a 100% complete list). Before we start receiving criticism for publishing those IPs we want to point out that we publish them so other researchers don’t have to do the same work over and over again. We have pointed out previously of how important it is to classify services/domains/servers/IPs correctly as for example to avoid takedowns of legitimate infrastructure (which happened multiple times in the past). We discovered parts of the IPs below belonging to analysis systems by checking out our Virus Tracker dataset and parts of them by laying out the baits and checking the connections.

Websense
    204.15.64.200
    208.80.194.121
    208.80.194.122
    208.80.194.123
    208.80.194.127
    208.80.194.26
    208.80.194.27
    208.80.194.29
    208.87.232.180
    208.87.238.180
    208.80.194.30

DomainTools LLC
    199.30.228.x
    199.30.228.128
    199.30.228.129
    199.30.228.130
    199.30.228.131
    199.30.228.132
    199.30.228.133
    199.30.228.134
    199.30.228.135
    199.30.228.136
    199.30.228.137
    199.30.228.151
    199.30.228.152
    199.30.228.153
    199.30.228.154

Name Intelligence
    64.246.161.42
    64.246.165.140
    64.246.165.150
    64.246.165.170
    64.246.165.180
    66.249.16.211
    66.249.16.212

Websense Hosted Security Network
    208.87.238.180
    85.115.52.180
    85.115.60.180
    85.115.33.180

Compass Communications
    216.145.17.190
    64.246.161.190
    64.246.178.34

MSP Format Ltd.
    91.250.15.69
    
TrendMicro
    2620:101:4037:/
    2620:101:4035:/

Cisco
    2620:101:2005:/

University of Georgia
    128.192.76.200

Georgia Institute of Technology
    130.207.203.2

Ikarus
    91.212.136.221
    91.212.136.222
    91.212.136.50

Bitdefender
    81.161.59.17
    91.199.104.141
    91.199.104.149
    91.199.104.15
    91.199.104.228
    91.199.104.3
    91.199.104.6

ESET
    109.74.154.83

Kaspersky    
    93.159.230.28
    93.159.230.39
    93.159.230.87
    93.159.230.88
    93.159.230.89
    93.159.230.90

Panda Autovin
    202.190.74.29

Anubis
    198.134.106.15

Malwr
    46.244.22.2

UrlVoid
    2001:41d0:8:9261::1

University of California Santa Barbara
    128.111.48.6

Team Cymru
    38.229.0.75

Who bit into the bait?

Within 1 week we have a total of 202 infection records for all our bait URLs. Here is the bait that we actually sent out. We generated a ZeuS executable containing our bait URL, a custom version of the original Antivirus Tracker executable and we reported the plain URL to analysis systems.

Bait

Below is the full list of IPs that contacted our bait URLs. It is interesting to see that there are certain services getting the URLs from multiple sites – for example you will find that some IPs behind UrlQuery also exist in the Virus Total list. We have (for your convenience) extracted already the operating system and the browser from the User Agent.

Services behind Virus Total
    207.102.138.3	Ubuntu	Firefox 15.0.1
    107.178.200.3	Windows	IE 9.0
    83.24.114.185	Windows 2000	Firefox 3.0.1
    80.254.75.128	Windows 7	IE 10.0
    80.254.73.17	Windows 7	IE 10.0
    91.218.247.141	Windows 7	IE 10.0
    46.253.179.138	Windows 7	IE 10.0
    80.254.74.144	Windows 7	IE 10.0
    31.192.104.93	Windows 7	IE 10.0
    93.94.244.10	Windows 7	IE 10.0
    31.192.106.133	Windows 7	IE 10.0
    93.94.246.128	Windows 7	IE 10.0
    93.80.113.250	Windows 7	IE 7.0
    188.99.253.202	Windows 7	IE 7.0
    62.210.74.186	Windows XP	IE 6.0
    46.188.5.232	Windows XP	IE 6.0
    46.188.47.252	Windows XP	IE 6.0
    50.97.98.134	Windows XP	IE 6.0
    213.37.5.133	Windows XP	IE 6.0
    88.26.239.242	Windows XP	IE 6.0
    91.79.50.227	Windows XP	IE 6.0
    91.121.71.92	Windows XP	IE 6.0
    93.80.51.225	Windows XP	IE 6.0
    176.195.189.195	Windows XP	IE 6.0
    188.244.39.180	Windows XP	IE 6.0
    188.244.39.12	Windows XP	IE 6.0
    84.177.32.153	Windows XP	IE 6.0
    84.73.135.119	Windows XP	IE 6.0
    84.177.6.222	Windows XP	IE 6.0
    91.79.50.227	Windows XP	IE 6.0
    188.244.39.180	Windows XP	IE 6.0
    46.188.47.252	Windows XP	IE 6.0
    176.195.189.195	Windows XP	IE 6.0
    84.177.6.222	Windows XP	IE 6.0
    95.26.98.244	Windows XP	IE 6.0
    188.244.39.12	Windows XP	IE 6.0
    93.80.51.225	Windows XP	IE 6.0
    46.188.5.232	Windows XP	IE 6.0
    91.79.50.227	Windows XP	IE 6.0
    95.220.174.236	Windows XP	IE 6.0
    84.177.8.191	Windows XP	IE 6.0
    188.244.39.180	Windows XP	IE 6.0
    188.244.39.12	Windows XP	IE 6.0
    46.188.47.252	Windows XP	IE 6.0
    95.26.98.244	Windows XP	IE 6.0
    176.195.189.195	Windows XP	IE 6.0
    89.178.94.96	Windows XP	IE 6.0
    91.79.50.227	Windows XP	IE 6.0
    188.244.39.12	Windows XP	IE 6.0
    95.24.190.229	Windows XP	IE 6.0
    188.244.39.180	Windows XP	IE 6.0
    46.188.47.252	Windows XP	IE 6.0
    91.79.50.227	Windows XP	IE 6.0
    188.244.39.180	Windows XP	IE 6.0
    84.177.31.107	Windows XP	IE 6.0
    46.188.5.232	Windows XP	IE 6.0
    176.195.189.195	Windows XP	IE 6.0
    95.220.174.236	Windows XP	IE 6.0
    176.195.227.163	Windows XP	IE 6.0
    46.188.47.252	Windows XP	IE 6.0
    46.188.5.232	Windows XP	IE 6.0
    93.80.78.140	Windows XP	IE 6.0
    95.220.174.236	Windows XP	IE 6.0
    188.244.39.12	Windows XP	IE 6.0
    84.177.31.95	Windows XP	IE 6.0
    84.177.23.60	Windows XP	IE 6.0
    188.244.39.12	Windows XP	IE 6.0
    128.69.36.57	Windows XP	IE 6.0
    176.195.227.163	Windows XP	IE 6.0
    95.220.176.249	Windows XP	IE 6.0
    46.188.5.232	Windows XP	IE 6.0
    84.177.12.45	Windows XP	IE 6.0
    46.188.47.252	Windows XP	IE 6.0
    91.79.50.227	Windows XP	IE 6.0
    188.244.39.180	Windows XP	IE 6.0
    95.220.176.249	Windows XP	IE 6.0
    176.195.227.163	Windows XP	IE 6.0
    72.12.209.146	Windows XP	IE 6.0
    188.244.39.12	Windows XP	IE 6.0
    128.68.211.220	Windows XP	IE 6.0
    46.188.47.252	Windows XP	IE 6.0
    91.79.50.227	Windows XP	IE 6.0
    46.188.5.232	Windows XP	IE 6.0
    84.177.61.231	Windows XP	IE 6.0
    128.68.246.26	Windows XP	IE 6.0
    84.177.42.73	Windows XP	IE 6.0
    46.188.5.232	Windows XP	IE 6.0
    50.22.252.66	Windows XP	IE 6.0
    176.195.172.254	Windows XP	IE 6.0
    95.220.176.249	Windows XP	IE 6.0
    188.244.39.12	Windows XP	IE 6.0
    188.244.39.180	Windows XP	IE 6.0
    91.79.50.227	Windows XP	IE 6.0
    46.188.47.207	Windows XP	IE 6.0
    188.244.39.180	Windows XP	IE 6.0
    199.87.154.255	Windows XP	IE 7.0
    209.249.180.207	Windows XP	IE 7.0
    107.182.135.43	Windows XP	IE 7.0
    66.135.33.230	Windows XP	IE 7.0
    128.68.125.68	Windows XP	IE 7.0
    128.72.187.85	Windows XP	Opera 10.63
    83.6.158.40	Windows Vista	IE 8.0
    31.172.30.3	Windows XP	IE 6.0
    76.19.47.29	Windows XP	IE 6.0
    4.31.163.2	Windows XP	IE 6.0
    76.19.47.29	Windows XP	IE 6.0
    142.0.42.8	Windows XP	IE 7.0
    79.150.27.5	Windows XP	IE 8.0
    54.211.91.5	Ubuntu 10.04	Firefox 3.6.13

Services behind UrlQuery
    12.167.151.85	Windows XP	IE 8.0
    128.69.36.57	Windows XP	IE 6.0
    173.236.152.132	Windows 7	IE 9.0
    176.195.189.195	Windows XP	IE 6.0
    176.195.227.163	Windows XP	IE 6.0
    188.244.39.12	Windows XP	IE 6.0
    188.244.39.180	Windows XP	IE 6.0
    195.159.140.216	Windows 7	Firefox 3.6.13
    2001:15c0:65ff:235::2	Linux	Firefox 27.0
    203.31.216.156	Windows XP	Firefox 4.0.1
    2607:f298:5:103f::166:2cbe	Windows 7	IE 9.0
    46.188.47.252	Windows XP	IE 6.0
    46.188.5.232	Windows XP	IE 6.0
    64.69.91.210	Windows XP	IE 6.0
    67.213.212.245	Windows 7	IE 10.0
    76.19.47.29	Windows XP	IE 6.0
    81.27.122.104	Windows 7	Chrome 18.6.872
    84.177.12.45	Windows XP	IE 6.0
    84.177.31.95	Windows XP	IE 6.0
    84.177.6.222	Windows XP	IE 6.0
    91.22.223.105	Windows XP	IE 6.0
    91.22.241.88	Windows XP	IE 6.0
    91.79.50.227	Windows XP	IE 6.0
    93.80.51.225	Windows XP	IE 6.0
    93.80.78.140	Windows XP	IE 6.0
    95.220.174.236	Windows XP	IE 6.0
    95.220.176.249	Windows XP	IE 6.0
    95.26.98.244	Windows XP	IE 6.0

Services behind Anubis
    198.134.106.15	Windows XP	IE 6.0
    216.232.78.104	Windows XP	IE 6.0
    84.42.39.77	Windows XP	IE 6.0

Services behind Malwr
    173.236.152.132	Windows 7	IE 9.0
    2607:f298:5:103f::166:2cbe	Windows 7	IE 9.0
    46.244.22.2	Windows XP	IE 6.0
    63.217.168.94	Ubuntu	Firefox 30.0

Services behind ThreatTrack
    72.55.154.6	Other	Other
    38.229.0.75	Other	Other
    66.129.97.253	Other	Other
    72.55.154.15	Other	Other
    217.149.63.66	Other	Other
    193.138.244.231	Other	Other
    66.129.99.119	Windows XP	IE 7.0
    72.64.146.112	Windows XP	IE 8.0
    64.69.91.210	Windows XP	IE 7.0
    85.143.167.19	Windows XP	IE 8.0
    178.24.98.220	Windows XP	IE 8.0
    85.143.167.19	Windows XP	IE 8.0
    85.143.167.19	Windows XP	IE 7.0
    81.27.122.24	Windows 7	Chrome 18.6.872
    2620:101:4037:3a03:150:70:97:88	Windows XP	IE 8.0

Surprisingly most accesses come from Russia 45%, while US has 23% followed by Germany 11%.

Bait Country

Even a week after initial submission of the URLs and samples we still get about 15 accesses on the bait URLs per day:

Bait Per Day

What’s next? A conclusion.

You can use above lists to check if antivirus systems contacted your web server. As mentioned, this can be useful to detect and classify false positives. As the different services from antivirus and intelligence companies change over the time you should take care to update your list every couple of months to cover the latest used IPs.