While researching outbound malware communications to improve detections for our products, we recently made an interesting discovery. Thousands of samples running in our malware lab reached out to the URL promos.fling.com/geo/txt/city.php. At first we suspected this to be a command and control (C&C) server of botnet malware. However,
Websense® categorization of the main Web page of the domain fling.com returned Adult, and visiting the page certainly confirmed this:
So how is this unsecured geolocation service used by the malware? Using the network tool Wireshark to look at the malware network traffic contacting this service, we can see that more information is disclosed:
Looking at the geolocation service abused by the malware we can make the connection that the 'CA' part (country code for Canada) in this user-agent is used to disclose the geolocation of the infected machine to the botnet server. This information can be used by the botmaster for statistics or to give different commands to infected machines in certain countries.
As of the time of writing this blog post, a total of 4,775 samples that ran in our malware lab show connections to the adult geolocation service in question. Websense customers are protected against known variants of this malware; we also have real-time coverage in place for the traffic between the malware and the C&C servers.