Snort mailing list archives

Re: SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm

From: Y M <snort () outlook com>
Date: Wed, 15 Oct 2014 13:18:02 +0000

Same here, issue is not restricted to Firefox and does not seem OS/device specific. We are getting these on SID:32173 
as well.

YM

From: gkay () netconsult co uk
To: rmcglamery () pencor com; snort-sigs () lists sourceforge net
Date: Wed, 15 Oct 2014 12:47:11 +0000
Subject: Re: [Snort-sigs] SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm

Our side not restricted to FireFox.   However, looking at the other traffic between our clients and the IP address 
23.43.75.27 it seems to be OCSP requests.

sr.symcd.com
gtssl2-ocsp.geotrust.co
gtglobal-ocsp.geotrust.com
evcs-ocsp.ws.symantec.com
svrsecure-oracle-ocsp.verisign.com
volusion-ocsp.digitalcertvalidation.com                                                                               

All requests regardless of the URL used have similar format in URI and download a file with the same name as the URI. 

Hope this helps in some way

Greg Kay

-----Original Message-----
From: McGlamery, Russell [mailto:rmcglamery () pencor com] 
Sent: 15 October 2014 13:24
To: McGlamery, Russell; Greg Kay; 'snort-sigs () lists sourceforge net'
Subject: Re: [Snort-sigs] SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm

I updated Firefox to version 33 on some of the nodes that were triggering the alerts and the alerts stopped.

--
Russ 

On 10/15/14, 8:02 AM, "McGlamery, Russell" <rmcglamery () pencor com> wrote:

This looks line its something related to older versions of FireFox, I 
am trying to verify now.

-----
Russ




On 10/15/14, 7:24 AM, "Greg Kay" <gkay () netconsult co uk> wrote:

Hi,

We are getting a large amount of hits for this domain which appears to 
be Symantec owned.  Fairly certain this is a false positive.

* 1:32174 <-> ENABLED <-> BLACKLIST DNS request for known malware 
domain sr.symcd.com - Osx.Backdoor.iWorm (blacklist.rules)
* 1:32173 <-> ENABLED <-> BLACKLIST DNS request for known malware 
domain s2.symcb.com - Osx.Backdoor.iWorm (blacklist.rules)

IP address is associated with geotrust, thawte and verisign as well.

Have checked the references to virustotal but haven't seen anything there
suggesting its bad.   Maybe I'm missing something.
www.virustotal.com/en/domain/s2.symcb.com/information/
www.virustotal.com/en/domain/sr.symcd.com/information/



Thanks

Greg Kay

======================================================================
===
=
===

netConsult is the trading name of nMSS Limited.
Telephone (UK) +44 20 7100 3310
Telephone (US) +1  646 465 7620

Registered in England and Wales: Company No 4509492, VAT No 802254076 
Registered Office: 19-20 Bourne Court, Southend Road, Woodford Green, 
IG8 8HD

Important Notice:
This message is for the named recipient(s) use only. It may contain 
confidential, proprietary, or legally privileged information.
No confidentiality or privilege is waived or lost by any mistransmission.
If you have received this message by error, please immediately notify 
the sender, delete it and all copies of it from your system, destroy 
any hard copies, and notify postmaster () netconsult co uk.
If you are not the intended recipient, you must not use, disclose, 
distribute, print, or copy any part of this message directly or 
indirectly.
Unless otherwise stated, all quoted prices exclude VAT. Please see our 
Terms & Conditions for further details.


----------------------------------------------------------------------
---
-
----
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!



-----------------------------------------------------------------------
---
----
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


=============================================================================

netConsult is the trading name of nMSS Limited.
Telephone (UK) +44 20 7100 3310
Telephone (US) +1  646 465 7620 

Registered in England and Wales: Company No 4509492, VAT No 802254076 
Registered Office: 19-20 Bourne Court, Southend Road, Woodford Green, IG8 8HD 

Important Notice:
This message is for the named recipient(s) use only. It may contain confidential, proprietary, or legally privileged 
information. 
No confidentiality or privilege is waived or lost by any mistransmission. If you have received this message by error, 
please immediately 
notify the sender, delete it and all copies of it from your system, destroy any hard copies, and notify postmaster () 
netconsult co uk. 
If you are not the intended recipient, you must not use, disclose, distribute, print, or copy any part of this 
message directly or indirectly. 
Unless otherwise stated, all quoted prices exclude VAT. Please see our Terms & Conditions for further details.


------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm Greg Kay (Oct 15)
- Re: SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm Joe Gedeon (Oct 15)
- Re: SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm McGlamery, Russell (Oct 15)
  - Re: SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm McGlamery, Russell (Oct 15)
    - Re: SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm Joel Esler (jesler) (Oct 15)
    - Re: SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm Greg Kay (Oct 15)
    - Re: SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm McGlamery, Russell (Oct 15)
    - Re: SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm Y M (Oct 15)
    - Re: SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm Alex McDonnell (Oct 16)
- <Possible follow-ups>
- Re: SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm Y M (Oct 16)