Skip to main content

IP Address Identification

Description​

An IP address (Internet Protocol address) that is found in source code should raise suspicion, because it is a common technique that evades the usual DNS lookup for a network resource. The particular IP address and the context in which it is found determines whether or not it is malicious.

IP addresses appearing in source code should be carefully scrutinized to insure that a nefarious actor is not reaching out to a network resource that could deliver harmful material.

Importance​

IP addresses may have legitimate uses, but they are commonly found in malware.

Examples​

While there can be legitimate uses for IP addresses appearing in source code, it is uncommon for a software developer to include direct IP addresses in source code.

An example of a legitimate use is a developer directly including the IP address for a DNS server, such as Google at 8.8.8.8.

On the other hand, direct IP addresses in source code can be indicative of malicious intent. Analysis of a 2017 malware campaign (see this report from US-CERT) revealed actors hard coding IP addresses that were used to connect victims to their malicious network infrastructure.

IP addresses that do not have a clear and obvious connection to the primary functionality of source code should be treated with suspicion until their legitimacy can be established.