The initial findings used to uncover more Pareto botnet-related artifacts were collated by WhoisXML API security researcher Dancho Danchev.

The Pareto botnet, known for using almost a million infected Android devices to spoof people seemingly watching ads on smart TVs, was reportedly taken down recently through the collaboration of industry players, notably Roku and Google.

But has it been 100% shut down?

We looked at known indicators of compromise (IoCs) to determine other artifacts that may be connected to the threat and sought to find out if any of them are still up and running.

Known Pareto Botnet IoCs

Dubbed one of the most sophisticated botnets to date, Pareto has been tied to several IoCs that include:

• 21 command-and-control (C&C) server domains
• 9 IP addresses
• 34 subdomains hosted on Amazon Web Services (AWS)

We used these domains, IP addresses, and subdomains to look for artifacts that may have not been publicized yet and find out if the entire botnet’s infrastructure has indeed been decommissioned.

Using Domain and IP Intelligence Tools to Find Yet-Unpublished Artifacts

Running the 21 C&C server domains on DNS Lookup API gave us an additional four IP addresses, namely:

• 35[.]83[.]172[.]110
• 44[.]228[.]228[.]126
• 44[.]236[.]242[.]111
• 204[.]11[.]56[.]48

While none of them are currently being detected as “malicious” based on Threat Intelligence Platform (TIP) checks, all had Secure Sockets Layer (SSL) certificate-related issues.

Using the 13 IP addresses (nine from the IoC list and the additional four we just obtained) as Reverse IP/DNS Lookup search terms gave us at least 264 more domains (there may be more as the tool’s results are limited to 300 domains per query) that may be connected to the botnet or tapped for its operation in the future since they share hosts.

Based on TIP checks, 228 or 86% of the additional domains remain live. If they are part of the Pareto infrastructure then that could mean the botnet has not been taken down in its entirety. The checks also revealed that 12 of them are dubbed “malicious.” These are:

• lastockphotos[.]com
• 01-999[.]com
• 48ddd[.]com
• balanceforsun[.]com
• cuttraffic[.]com
• dawei600[.]com
• importtraffic[.]com
• puttraffic[.]com
• twoenough[.]com
• vissn[.]com
• cebubest[.]com
• jacoso[.]com

Given their host IP addresses’ connection to the botnet, users should avoid accessing any of the additional domains found as well.

The reverse IP/DNS lookups done earlier also provided a list of 14 additional AWS subdomains akin to those proven to have been part of the botnet, namely:

• ec2-54-86-138-219[.]compute-1[.]amazonaws[.]com
• ec2-52-39-34-238[.]us-west-2[.]compute[.]amazonaws[.]com
• ec2-54-68-196-177[.]us-west-2[.]compute[.]amazonaws[.]com
• aac7921e593974004ae49df1e1f2de42-697406326[.]us-west-2[.]elb[.]amazonaws[.]com
• ec2-54-144-32-227[.]compute-1[.]amazonaws[.]com
• ec2-35-83-172-110[.]us-west-2[.]compute[.]amazonaws[.]com
• ec2-44-228-228-126[.]us-west-2[.]compute[.]amazonaws[.]com
• ec2-44-236-242-111[.]us-west-2[.]compute[.]amazonaws[.]com
• ec2-52-23-54-114[.]compute-1[.]amazonaws[.]com
• tmg-stream-833781289[.]us-east-1[.]elb[.]amazonaws[.]com
• prod-apigee-x-elb-747573873[.]us-west-2[.]elb[.]amazonaws[.]com
• ec2-34-217-164-136[.]us-west-2[.]compute[.]amazonaws[.]com
• ec2-44-239-49-7[.]us-west-2[.]compute[.]amazonaws[.]com
• ec2-44-229-182-18[.]us-west-2[.]compute[.]amazonaws[.]com

While none of these are detected as malicious, their possible ties to Pareto botnet IP addresses could serve as a warning.

The look that we took at the published IoCs using various domain and IP intelligence tools provided us lists of other connected domains, IP addresses, and AWS subdomains that may need to be further investigated as an additional layer of security against the threat.

If you want to get a copy of the complete list of artifacts collated from our deep dive, don’t hesitate to contact us. We’re also always open to collaboration if you wish to do a similar study.