search

davidonzo / Threat-Intel

Threat-Intel repository. API: https://github.com/davidonzo/apiosintDS
https://osint.digitalside.it
MIT License
147 stars 14 forks source link

[False Postive] `ipfs.io` #49

Closed SukkaW closed 3 months ago

SukkaW commented 3 months ago

ipfs.io is the official website for IPFS. Quoting from Wikipedia, IPFS (The InterPlanetary File System) is a protocol, hypermedia, and file-sharing peer-to-peer network for storing and sharing data in a distributed file system.

IPFS also operates a "gateway" that serves the file on the IPFS over the HTTP URL (Basically a converter that converts IPFS protocol to HTTP protocol) under the domain ipfs.io.

Due to the nature of the IPFS (P2P, Distributed, Decentralized), it is common for hackers to upload malware/viruses to the IPFS and distribute those binaries through IPFS gateways. But IMHO we should not block IPFS gateways because of that. Moreover, the domain ipfs.io is not just the gateway, it also hosts the official website and developer docs of the IPFS.

davidonzo commented 3 months ago

I can not consider it as a false positive since I downloaded 3 malicious file via 3 malicious urls.

Here is the file links:

**I need further investigation on this. Please, if you can, help me explaining the services with related URIs and URLs in order to understand how future malwares should be collected and analyzed.

The 3 files URL structure is somethine like => "hXXps://ipfs.io/ipfs//" that in my mind seems like a server compomise event. Please, explain why I'm wrong :-)

SukkaW commented 3 months ago

I can not consider it as a false positive since I downloaded 3 malicious file via 3 malicious urls.

As I described:

IPFS (The InterPlanetary File System) is a protocol, hypermedia, and file-sharing peer-to-peer network for storing and sharing data in a distributed file system.

Everyone can upload anything to the IPFS networks, and access them through the IPFS gateway, where the IPFS gateway is only (here I quote from the IPFS official docs):

a web-based service that gets content from an IPFS network (private, or public swarm backed by Amino DHT), and makes it available via HTTP

As I said:

Due to the nature of the IPFS (P2P, Distributed, Decentralized), it is common for hackers to upload malware/viruses to the IPFS and distribute those binaries through IPFS gateways.

However, the IPFS gateway is no different than other file-sharing services. Anyone can upload malware to Discord/Google Drive/iCloud/GitHub and distribute the malware (before being taken down) through those providers' domains, and the IPFS gateway works just like those providers.

SukkaW commented 3 months ago

As for the URL format ipfs.io/ipfs/<malicious_path>/<malicious_binary>", the <malicious_path> is actually a unique ID (called "Content Identifiers") to make sure an immutable file across the entire P2P IPFS network, as described in the IPFS docs:

A content identifier, or CID, is a label used to point to material in IPFS. It doesn't indicate where the content is stored, but it forms a kind of address based on the content itself. CIDs are short, regardless of the size of their underlying content. IPFS uses the sha-256 hashing algorithm by default.

On GitHub alone, there are 135,000 sample URLs that match the ipfs.io/ipfs/<malicious_path>/<malicious_binary>" pattern and almost none of them are malware/viruses.

davidonzo commented 3 months ago

Thanks for clarification. The domain has been added to the whitelist. This means malicious urls will remain in lists, but the domain will be removed from the domain lists.

Thanks and regards