August 7: This post has been updated.
But whatever it’s called, the malware infects Windows machines running many versions of Tor Browser. The hidden services in question contained an embedded script which could then execute code on an unsuspecting user’s machine. Then, according to the researcher who reverse engineered that code, the malware causes the infected computer to send its hostname, MAC address (hardware ID), and IP address to a server located in Virginia — defeating the anonymization provided by Tor.
A DomainTools utility referred to by Ars Technica and Wired claims that the IP address (18.104.22.168) is allocated to Science Applications International Corporation, a defense technology contractor. The utility attempts to identify the organization responsible a given block of IP addresses. The tool claims that SAIC is the organization that owns the “C block” containing the IP address coded into the malware (22.214.171.124/24).
Had it been the early ’90s, the IP address of Torsploit's command and control server would have suggested that it belongs to SAIC, but a change made over the years in how IP addresses are assigned makes it a much less convincing piece of evidence.
Back in the old days — when only a small part of the world used the Internet — IP addresses were distributed to service providers in a “class” system. Class A blocks (255.0.0.0) — for instance, MIT’s 126.96.36.199 — contain 16,777,216 addresses, Class B (255.255.0.0) blocks contain over 65 thousand, and so on. Class D (255.255.255.0) addresses would then represent the local network. Unfortunately, the class system was not scalable and would have eventually limited the number of service providers that could own IP address ranges. So the class system went out the door in 1993 and the Internet Engineering Task Force started using variable-bit “classless” lengths to define networks. Since that change, a large organization, like a telecom company, can own a wide variety of block sizes which wouldn’t fit into the older “A.B.C.D” class model — some that can even span several of the old ranges, such as 188.8.131.52 through 184.108.40.206. A small organization can own a very small block of public IP addresses that would have previously put them in a local network with other organizations — like 220.127.116.11 through 18.104.22.168.
These “major” IP address blocks are assigned either by the Internet Assigned Numbers Authority or by regional registries. The owners of these major blocks (usually telecom companies) can then sell smaller blocks to other organizations or individuals as they see fit. For instance, when a company running a handful of servers that need public IP addresses, they’ll likely pay their hosting company for a small block of address, who in turn likely buy their own, larger CIDR block from an upstream network/telecom provider.
It’s a reasonably well understood and documented system. In many cases, you can query the allocation record of IP addresses by doing a “WHOIS query” on the address. For example, a WHOIS query on the IP address for “www.propublica.org” (22.214.171.124) shows that the address is in a two-address range belonging to ProPublica and that this two-address range is in a larger network belonging to Rackspace Hosting.
But the DomainTools lookup utility mentioned by the press reports relies on the old “class” system. Susan Prosser, Vice President of Industry Relations at DomainTools confirmed that the DomainTools tool “goes to a Class C level, looking at the first address only.” That means that the it simply takes the owner (from WHOIS data) of the first IP in that “C block” (126.96.36.199 through 188.8.131.52) and assumes that this is the owner of the entire block, whether or not the block is actually owned by a single organization. So in Torsploit’s case, SAIC is listed as the “owner” even though — as we’ll see below — different portions of the block are actually assigned to different groups and not operated as one large “C block.”
Prosser recommended that “for any delegation beyond that, it is best to do an IP Whois look up for the reassigned subnets,” which would “return the Net Range of the directly assigned party,” and any information about further reassignments and allocations. Doing a few WHOIS queries of our own, we can take a look at the allocation chain for a few of the IP address blocks in the 184.108.40.206 range. (Click on the IP addresses to see the command and the output that goes along with it.)
|220.127.116.11 - 15||"SCIENCE APPLICATIONS INT"||This is likely the value that is being picked up by DomainTools as the "owner" of the entire "C block". In reality, SAIC only appears to own the first 16 IP addresses in the 18.104.22.168 block.|
|22.214.171.124 - 31||"Old Dominion Internet"|
|126.96.36.199 - 47||"FTS2001/US Government"||FTS2001 likely represents telecom services under the "Federal Telecommunications System" 2000 & 2001 contracts.|
|188.8.131.52 - 55||(None)||This range (which contains our addresses in question) appears to have no allocation associated with it other than the large Verizon UUNET65 block.|
|→ 184.108.40.206||"MCI Communications Services, Inc. d/b/a Verizon Business UUNET65"||IP address of the reported malware command & control server.|
|220.127.116.11 - 63||"UNIVERSAL MACHINE CO OF POTTSTOWN INC"|
|18.104.22.168 - 79||"KITRON"|
|22.214.171.124 - 87||"MORNINGSIDE SPORTS FARM"|
|126.96.36.199 - 95||"MetTel, Inc."|
|188.8.131.52 - 103||"GUIDESTAR"|
|184.108.40.206 - 111||"Walt Disney Company"|
|220.127.116.11 - 127||"Dental Concepts"|
|18.104.22.168 - 135||"GARP RESEARCH & SECURITIES"|
|22.214.171.124 - 143||"ASSURED PACKAGING INC"|
|126.96.36.199 - 151||(None)||This range appears to have no allocation associated with it other than the large Verizon UUNET65 block.|
|188.8.131.52 - 159||"CONSCIOUS SECURITY"|
|184.108.40.206 - 175||(None)||This range appears to have no allocation associated with it other than the large Verizon UUNET65 block.|
Looks like the IP addresses of Torsploit’s servers don’t have any specific records other than the UUNET telco, which is now operated by Verizon Business. But this “block” is a massive range — 220.127.116.11 through 18.104.22.168, comprising some 2,097,152 addresses. That’s a large, nonspecific swath of internet that tells us nothing but that these IPs might use some Verizon Business service, or some client of Verizon Business. Many of the neighboring IP addresses, however, do contain information about network providers or customers — including SAIC and the US Government — that the IP ranges have been allocated to. We’ve asked Verizon Business if there is any further information on any reassignment or allocation regarding the command & control server’s IP address, but have not received a response.
A further rumor reported over Twitter and a cybersecurity message board was that one IP address belonged to the NSA, but this may simply be because the “www.nsa.gov” web servers — 22.214.171.124 and 126.96.36.199 — are in the same huge UUNET65/Verizon Business block. (A WHOIS of those IP addresses shows that it belongs to a “LG-TEK” network — 188.8.131.52 through 184.108.40.206 — within the larger UUNET65/Verizon Business block.)
From the available evidence, it seems like it’s jumping the gun to say that the web and command & control servers associated with the exploit are owned by the U.S. government. Here’s all we know for sure:
- Verizon Business is the entity responsible for allocating the IP addresses, since they belong to the huge 220.127.116.11 - 18.104.22.168 IP address block that is allocated to them. But without more specific allocation information, that’s no evidence that the IP addresses map to servers on a network that Verizon Business directly controls.
- The IP addresses in question are numerically near IP address blocks belonging to SAIC and the U.S. Government.
- The IP addresses in question are also numerically near IP address blocks belonging to a variety of businesses, many centered around northern Virginia but with some entries as far as Pennsylvania and California. Because of the way IP addresses are assigned, “numerically near” doesn’t necessarily mean “geographically near.”
Until we know more, reports about the government’s role in the exploit that are based only on IP address data should be taken with a grain of salt.
We’ve left messages with SAIC and Verizon Business and will update this post when we know more.
Update (8/7): Portions of this post have been updated to clarify that both purported IP addresses — 22.214.171.124 and 126.96.36.199 — are linked to Torsploit.