[Snort-sigs] SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm

McGlamery, Russell rmcglamery at ...3965...
Wed Oct 15 08:56:22 EDT 2014


I was reading something about that URL cert verification in FF so I
focused on that.

--
Russ 






On 10/15/14, 8:47 AM, "Greg Kay" <gkay at ...3961...> wrote:

>Our side not restricted to FireFox.   However, looking at the other
>traffic between our clients and the IP address 23.43.75.27 it seems to be
>OCSP requests.
>
>sr.symcd.com
>gtssl2-ocsp.geotrust.co
>gtglobal-ocsp.geotrust.com
>evcs-ocsp.ws.symantec.com
>svrsecure-oracle-ocsp.verisign.com
>volusion-ocsp.digitalcertvalidation.com
>                  
>                  
>
>
>All requests regardless of the URL used have similar format in URI and
>download a file with the same name as the URI.
>
>
>Hope this helps in some way
>
>Greg Kay
>
>
>-----Original Message-----
>From: McGlamery, Russell [mailto:rmcglamery at ...3965...]
>Sent: 15 October 2014 13:24
>To: McGlamery, Russell; Greg Kay; 'snort-sigs at lists.sourceforge.net'
>Subject: Re: [Snort-sigs] SID 32174 BLACKLIST DNS request for known
>malware domain sr.symcd.com - Osx.Backdoor.iWorm
>
>I updated Firefox to version 33 on some of the nodes that were triggering
>the alerts and the alerts stopped.
>
>--
>Russ 
>
>
>
>
>
>
>On 10/15/14, 8:02 AM, "McGlamery, Russell" <rmcglamery at ...3965...> wrote:
>
>>This looks line its something related to older versions of FireFox, I
>>am trying to verify now.
>>
>>-----
>>Russ
>>
>>
>>
>>
>>On 10/15/14, 7:24 AM, "Greg Kay" <gkay at ...3961...> wrote:
>>
>>>Hi,
>>>
>>>We are getting a large amount of hits for this domain which appears to
>>>be Symantec owned.  Fairly certain this is a false positive.
>>>
>>>* 1:32174 <-> ENABLED <-> BLACKLIST DNS request for known malware
>>>domain sr.symcd.com - Osx.Backdoor.iWorm (blacklist.rules)
>>>* 1:32173 <-> ENABLED <-> BLACKLIST DNS request for known malware
>>>domain s2.symcb.com - Osx.Backdoor.iWorm (blacklist.rules)
>>>
>>>IP address is associated with geotrust, thawte and verisign as well.
>>>
>>>Have checked the references to virustotal but haven't seen anything
>>>there
>>>suggesting its bad.   Maybe I'm missing something.
>>>www.virustotal.com/en/domain/s2.symcb.com/information/
>>>www.virustotal.com/en/domain/sr.symcd.com/information/
>>>
>>>
>>>
>>>Thanks
>>>
>>>Greg Kay
>>>
>>>======================================================================
>>>===
>>>=
>>>===
>>>
>>>netConsult is the trading name of nMSS Limited.
>>>Telephone (UK) +44 20 7100 3310
>>>Telephone (US) +1  646 465 7620
>>>
>>>Registered in England and Wales: Company No 4509492, VAT No 802254076
>>>Registered Office: 19-20 Bourne Court, Southend Road, Woodford Green,
>>>IG8 8HD
>>>
>>>Important Notice:
>>>This message is for the named recipient(s) use only. It may contain
>>>confidential, proprietary, or legally privileged information.
>>>No confidentiality or privilege is waived or lost by any
>>>mistransmission.
>>>If you have received this message by error, please immediately notify
>>>the sender, delete it and all copies of it from your system, destroy
>>>any hard copies, and notify postmaster at ...3962...
>>>If you are not the intended recipient, you must not use, disclose,
>>>distribute, print, or copy any part of this message directly or
>>>indirectly.
>>>Unless otherwise stated, all quoted prices exclude VAT. Please see our
>>>Terms & Conditions for further details.
>>>
>>>
>>>----------------------------------------------------------------------
>>>---
>>>-
>>>----
>>>Comprehensive Server Monitoring with Site24x7.
>>>Monitor 10 servers for $9/Month.
>>>Get alerted through email, SMS, voice calls or mobile push
>>>notifications.
>>>Take corrective actions from your mobile device.
>>>http://p.sf.net/sfu/Zoho
>>>_______________________________________________
>>>Snort-sigs mailing list
>>>Snort-sigs at lists.sourceforge.net
>>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>http://www.snort.org
>>>
>>>
>>>Please visit http://blog.snort.org for the latest news about Snort!
>>
>>
>>-----------------------------------------------------------------------
>>---
>>----
>>Comprehensive Server Monitoring with Site24x7.
>>Monitor 10 servers for $9/Month.
>>Get alerted through email, SMS, voice calls or mobile push notifications.
>>Take corrective actions from your mobile device.
>>http://p.sf.net/sfu/Zoho
>>_______________________________________________
>>Snort-sigs mailing list
>>Snort-sigs at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>http://www.snort.org
>>
>>
>>Please visit http://blog.snort.org for the latest news about Snort!
>
>==========================================================================
>===
>
>netConsult is the trading name of nMSS Limited.
>Telephone (UK) +44 20 7100 3310
>Telephone (US) +1  646 465 7620
>
>Registered in England and Wales: Company No 4509492, VAT No 802254076
>Registered Office: 19-20 Bourne Court, Southend Road, Woodford Green, IG8
>8HD 
>
>Important Notice:
>This message is for the named recipient(s) use only. It may contain
>confidential, proprietary, or legally privileged information.
>No confidentiality or privilege is waived or lost by any mistransmission.
>If you have received this message by error, please immediately
>notify the sender, delete it and all copies of it from your system,
>destroy any hard copies, and notify postmaster at ...3962...
>If you are not the intended recipient, you must not use, disclose,
>distribute, print, or copy any part of this message directly or
>indirectly. 
>Unless otherwise stated, all quoted prices exclude VAT. Please see our
>Terms & Conditions for further details.
>





More information about the Snort-sigs mailing list