Malware hides behind DWORD formatted IP addresses

Internet users know what a domain name is, and many of them are aware of the fact that it is a “translation” of a dotted decimal IP address. But how many of them know that there are other formats that a domain name can be presented in?

This poorly known fact has occasionally been taken advantage of by cyber scammers and malware pushers, and another instance of this approach has recently been spotted by Zscaler researchers.

URLs such as hxxp://1539393606/GoogleSearch.class are being offered to users in order to confuse them and make them click on the offered link.

This and similar links then take them to a web page designed to exploit a Java vulnerability that allows the download of a malicious executable on their computers.

The URLs in question are in the DWORD format, which is composed of two 16-bit binary “words”, but is presented as a 10-digit number. Browsers recognize the format, automatically translate it into an IP address and surf to that page.

Whether you are aware of this and other seldom used formats of an IP address, a good rule of thumb is never to follow links you don’t recognize or can’t tell to where they lead by analyzing them – especially when they are presented to you in unsolicited emails and messages, or messages coming from people you know but seem uncharacteristic for them.