"info":"OSINT - Websites compromised in \u00e2\u20ac\u02dcDecimal IP\u00e2\u20ac\u2122 campaign",
"publish_timestamp":"1490880415",
"published":true,
"threat_level_id":"3",
"timestamp":"1490880407",
"uuid":"58dcbfd0-91a4-4bc6-9aa9-4af7950d210f",
"Orgc":{
"name":"CIRCL",
"uuid":"55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag":[
{
"colour":"#ffffff",
"local":"0",
"name":"tlp:white",
"relationship_type":""
},
{
"colour":"#00223b",
"local":"0",
"name":"osint:source-type=\"blog-post\"",
"relationship_type":""
},
{
"colour":"#0088cc",
"local":"0",
"name":"misp-galaxy:exploit-kit=\"RIG\"",
"relationship_type":""
}
],
"Attribute":[
{
"category":"External analysis",
"comment":"",
"deleted":false,
"disable_correlation":false,
"timestamp":"1490876884",
"to_ids":false,
"type":"text",
"uuid":"58dcbff0-5240-43b0-8d17-46fa950d210f",
"value":"When looking at malicious traffic, one of the things we are interested in are the hosts involved in a particular attack. For example, we check the hostnames or IP addresses that were serving up malicious code.\r\n\r\nBefore getting further, let\u00e2\u20ac\u2122s define a few concepts to better understand the topic we are discussing today. A host name can be:\r\n\r\nA domain name (i.e. http://example.com/)\r\nA fully qualified domain name (i.e. http://test.example.com/)\r\nAn IP address (i.e. http://127.0.0.1/)\r\nIt\u00e2\u20ac\u2122s not as usual, but IP addresses can indeed be directly used as the URL and when that happens it is called an IP-Literal Hostname (see Eric Lawrence\u00e2\u20ac\u2122s post on this subject).\r\n\r\nIP addresses (IPv4) follow the dot-decimal notation which is four numbers, each ranging from 0 to 255, separated by dots. But then, to make things a little more complicated, we have exceptions, such as the non-dotted IP literals, in decimal (http://2130706433/) or octal form (http://017700000001/).\r\n\r\nThis takes us to a recent infection chain for the RIG exploit kit where we came across such an occurrence.",
