Re: BOTNET-CNC Dropper Win32.Cefyns.A outbound connection triggered by domain parking

[Joel Esler <jesler () sourcefire com>]

On Oct 5, 2011, at 3:59 PM, Jason Wallace wrote:

> FWIW... We saw enough bad things come out of here that we blocked the whole sedoparking IP range at the firewall. If 
> you do content filtering I suggest blocking parked domains. We see a lot of hits on sites categorized as "malicious" 
> who's referers came from parked domains.
>
> Just my opinion.
>
> On Wed, Oct 5, 2011 at 2:40 PM, NA <dustypath () comcast net> wrote:
> Yes I have hit this one also on : www165.sedoparking.com
> It is listed on trustedsource.org with a high risk email reputation.
> Bill B
>
>
> On 10/5/11 10:33 AM, Jefferson, Shawn wrote:
> > Does anyone else see this signature (19123) triggered by domain parking pages?  Every single one I've seen is 
> > linked to sedoparking.com and appears to be innocent.  Virustotal always reports "clean site" or "unrated site".  
> > To me it looks like this signature is alerting on an artefact of a malicious page, but this is not a unique thing 
> > to alert on.
> >
> > www.victoriarollergirls.com is an example of what I'm talking about.  (careful just in case)


Let me explain how that rule came to pass.

The Malware that we were analyzing in order to write that signature, was submitting search queries through parked pages 
in order to drive up SEO for certain search terms.  The string was so common across so many different pieces of malware 
that a rule was written for it.  However, we received another false positive today through the snort.org website with 
pcap attached (the best way for us to see these things!)  that displayed that it wasn't malware, and that this type of 
search can, apparently, happen for real.  (We don't recommend that you use a parked domain to do searches, that's what 
google.com is for).

So I went back through the malware looking for other characteristics.  It looks like sid 1:16826 also fires from the 
infected machines.  This rule should be a lot more reliable as you'll see it contains the mac address of the infected 
machine.  Handy for identification.

Ensure you have that sid on, and we'll look at 19123.

Joel

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!