major.io words of wisdom from a systems engineer

Upatre and icanhazip

This is why we can't have nice thingsI recently updated the icanhazip FAQ about the resurgence of the Upatre malware and how it’s abusing icanhazip.com. The abuse reports keep coming into the ISP’s where I host the site and it’s becoming a challenge to defend each one.

From what I’ve read, Upatre is a piece of malware that has been around in one form or another since 2013. Somewhere along the way, it began making calls to icanhazip.com to determine the public-facing IP address of the machines that it infects. I’m sure this was done by the malware authors to figure out which kinds of targets they hit. If they know the external IP address, they can easily figure out how valuable the target may be.

The information security community has been really helpful and I’ve received emails from several people with ways to identify the malicious requests and deny them. The malware changes over time and the most recent updates mimic the requests made by very recent versions of Firefox on Windows. Separating those requests out from the legitimate ones is extremely difficult.

I’d like to explore some ways to provide sanitized log data from icanhazip to certain security organizations so they can find trends and help more people stomp out this highly annoying piece of malware (among others).

If you have any feedback on how this might be done, let me know. Also, if you think it’s a horrible idea, let me know as well.