[Snort-sigs] SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm

Joel Esler (jesler) jesler at ...3865...
Wed Oct 15 08:35:40 EDT 2014


That’s interesting.  

We’ll take a look here.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

> On Oct 15, 2014, at 8:23 AM, McGlamery, Russell <rmcglamery at ...3965...> wrote:
> 
> I updated Firefox to version 33 on some of the nodes that were triggering
> the alerts and the alerts stopped.
> 
> --
> Russ 
> 
> 
> 
> 
> 
> 
> On 10/15/14, 8:02 AM, "McGlamery, Russell" <rmcglamery at ...3965...> wrote:
> 
>> This looks line its something related to older versions of FireFox, I am
>> trying to verify now.
>> 
>> -----
>> Russ
>> 
>> 
>> 
>> 
>> On 10/15/14, 7:24 AM, "Greg Kay" <gkay at ...3961...> wrote:
>> 
>>> Hi,  
>>> 
>>> We are getting a large amount of hits for this domain which appears to be
>>> Symantec owned.  Fairly certain this is a false positive.
>>> 
>>> * 1:32174 <-> ENABLED <-> BLACKLIST DNS request for known malware domain
>>> sr.symcd.com - Osx.Backdoor.iWorm (blacklist.rules)
>>> * 1:32173 <-> ENABLED <-> BLACKLIST DNS request for known malware domain
>>> s2.symcb.com - Osx.Backdoor.iWorm (blacklist.rules)
>>> 
>>> IP address is associated with geotrust, thawte and verisign as well.
>>> 
>>> Have checked the references to virustotal but haven't seen anything there
>>> suggesting its bad.   Maybe I'm missing something.
>>> www.virustotal.com/en/domain/s2.symcb.com/information/
>>> www.virustotal.com/en/domain/sr.symcd.com/information/
>>> 
>>> 
>>> 
>>> Thanks
>>> 
>>> Greg Kay 
>>> 
>>> =========================================================================
>>> =
>>> ===
>>> 
>>> netConsult is the trading name of nMSS Limited.
>>> Telephone (UK) +44 20 7100 3310
>>> Telephone (US) +1  646 465 7620
>>> 
>>> Registered in England and Wales: Company No 4509492, VAT No 802254076
>>> Registered Office: 19-20 Bourne Court, Southend Road, Woodford Green, IG8
>>> 8HD 
>>> 
>>> Important Notice:
>>> This message is for the named recipient(s) use only. It may contain
>>> confidential, proprietary, or legally privileged information.
>>> No confidentiality or privilege is waived or lost by any mistransmission.
>>> If you have received this message by error, please immediately
>>> notify the sender, delete it and all copies of it from your system,
>>> destroy any hard copies, and notify postmaster at ...3962...
>>> If you are not the intended recipient, you must not use, disclose,
>>> distribute, print, or copy any part of this message directly or
>>> indirectly. 
>>> Unless otherwise stated, all quoted prices exclude VAT. Please see our
>>> Terms & Conditions for further details.
>>> 
>>> 
>>> -------------------------------------------------------------------------
>>> -
>>> ----
>>> Comprehensive Server Monitoring with Site24x7.
>>> Monitor 10 servers for $9/Month.
>>> Get alerted through email, SMS, voice calls or mobile push notifications.
>>> Take corrective actions from your mobile device.
>>> http://p.sf.net/sfu/Zoho
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>> http://www.snort.org
>>> 
>>> 
>>> Please visit http://blog.snort.org for the latest news about Snort!
>> 
>> 
>> --------------------------------------------------------------------------
>> ----
>> Comprehensive Server Monitoring with Site24x7.
>> Monitor 10 servers for $9/Month.
>> Get alerted through email, SMS, voice calls or mobile push notifications.
>> Take corrective actions from your mobile device.
>> http://p.sf.net/sfu/Zoho
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>> 
>> 
>> Please visit http://blog.snort.org for the latest news about Snort!
> 
> 
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://p.sf.net/sfu/Zoho
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141015/4928f5bf/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4881 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141015/4928f5bf/attachment.bin>


More information about the Snort-sigs mailing list