[Snort-sigs] SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm

McGlamery, Russell rmcglamery at ...3965...
Wed Oct 15 08:23:39 EDT 2014


I updated Firefox to version 33 on some of the nodes that were triggering
the alerts and the alerts stopped.

--
Russ 






On 10/15/14, 8:02 AM, "McGlamery, Russell" <rmcglamery at ...3965...> wrote:

>This looks line its something related to older versions of FireFox, I am
>trying to verify now.
>
>-----
>Russ
>
>
>
>
>On 10/15/14, 7:24 AM, "Greg Kay" <gkay at ...3961...> wrote:
>
>>Hi,  
>>
>>We are getting a large amount of hits for this domain which appears to be
>>Symantec owned.  Fairly certain this is a false positive.
>>
>>* 1:32174 <-> ENABLED <-> BLACKLIST DNS request for known malware domain
>>sr.symcd.com - Osx.Backdoor.iWorm (blacklist.rules)
>>* 1:32173 <-> ENABLED <-> BLACKLIST DNS request for known malware domain
>>s2.symcb.com - Osx.Backdoor.iWorm (blacklist.rules)
>>
>>IP address is associated with geotrust, thawte and verisign as well.
>>
>>Have checked the references to virustotal but haven't seen anything there
>>suggesting its bad.   Maybe I'm missing something.
>>www.virustotal.com/en/domain/s2.symcb.com/information/
>>www.virustotal.com/en/domain/sr.symcd.com/information/
>>
>>
>>
>>Thanks
>>
>>Greg Kay 
>>
>>=========================================================================
>>=
>>===
>>
>>netConsult is the trading name of nMSS Limited.
>>Telephone (UK) +44 20 7100 3310
>>Telephone (US) +1  646 465 7620
>>
>>Registered in England and Wales: Company No 4509492, VAT No 802254076
>>Registered Office: 19-20 Bourne Court, Southend Road, Woodford Green, IG8
>>8HD 
>>
>>Important Notice:
>>This message is for the named recipient(s) use only. It may contain
>>confidential, proprietary, or legally privileged information.
>>No confidentiality or privilege is waived or lost by any mistransmission.
>>If you have received this message by error, please immediately
>>notify the sender, delete it and all copies of it from your system,
>>destroy any hard copies, and notify postmaster at ...3962...
>>If you are not the intended recipient, you must not use, disclose,
>>distribute, print, or copy any part of this message directly or
>>indirectly. 
>>Unless otherwise stated, all quoted prices exclude VAT. Please see our
>>Terms & Conditions for further details.
>>
>>
>>-------------------------------------------------------------------------
>>-
>>----
>>Comprehensive Server Monitoring with Site24x7.
>>Monitor 10 servers for $9/Month.
>>Get alerted through email, SMS, voice calls or mobile push notifications.
>>Take corrective actions from your mobile device.
>>http://p.sf.net/sfu/Zoho
>>_______________________________________________
>>Snort-sigs mailing list
>>Snort-sigs at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>http://www.snort.org
>>
>>
>>Please visit http://blog.snort.org for the latest news about Snort!
>
>
>--------------------------------------------------------------------------
>----
>Comprehensive Server Monitoring with Site24x7.
>Monitor 10 servers for $9/Month.
>Get alerted through email, SMS, voice calls or mobile push notifications.
>Take corrective actions from your mobile device.
>http://p.sf.net/sfu/Zoho
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>http://www.snort.org
>
>
>Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-sigs mailing list