[ThreatCrowd.org] - Concerning MD5 and A/V Reports for 1.1.1.1, 1.0.0.1, and 1.1.1.2

To Whom This May Concern, Greetings!

There’s an array of tools I use to do various checkups on all the different Recursive DNSSEC-Enabled services that exist.

As I’ve been running various checks and tests, I noticed that when I go to…


ThreatCrowd - A Search Engine for Threats:

https://www.threatcrowd.org/


…and type in either 1.1.1.1, 1.0.0.1, and 1.1.1.2, there’s a larger array of MD5 values that are coming up on the radar with an array of malware and/or infections.

My family has been using “CloudFlare WARP+ Unlimited” and we’ve been very pleased with the improvements and performance it’s made in our lives.

Our question is, what “ThreatCrowd.org” is reporting for 1.1.1.1, 1.0.0.1, and 1.1.1.2, is this a security problem of sorts we really need to be concerned about or is everything overall A.O.K. over there?

We’ll be supporting you regardless, but I had to finally get this message out to you as a double-check.

Talk to you soon!

Have a Great Day,

Isaac N. Romero

P.S.: “[email protected]” automatically closed-out the ticket I tried to create for this. Since I didn’t know where to send it to, I figured I’d post it here and let the gurus and experts take a crack at it.

So, the reason why those files might show 1.1.1.1 is due to static pattern analysis on the malwares/files that are submitted to their network.
While 1.1.1.1 is a valid IP Address, it’s also a valid and rather common file version.
image

These kinds of strings can be stored on the #String PE Header ( Portable Executable - Wikipedia ), which analyzers commonly look into to find IP Addresses, this “collision” can cause different strings to be mistaken with versions and IP addresses.

The TL;DR is that there is nothing you have to worry about.

If you fill in another public DNS server like Google’s 8.8.8.8 you also get some malware results. This is probably because the malware uses one of these public DNS services to do domain lookups, bypassing a (possibly) defunct local resolver. All in all nothing to worry about.