[Snort-sigs] SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm

Y M snort at ...3751...
Wed Oct 15 09:18:02 EDT 2014


Same here, issue is not restricted to Firefox and does not seem OS/device specific. We are getting these on SID:32173 as well.

YM

> From: gkay at ...3961...
> To: rmcglamery at ...3965...; snort-sigs at lists.sourceforge.net
> Date: Wed, 15 Oct 2014 12:47:11 +0000
> Subject: Re: [Snort-sigs] SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm
> 
> Our side not restricted to FireFox.   However, looking at the other traffic between our clients and the IP address 23.43.75.27 it seems to be OCSP requests.
> 
> sr.symcd.com
> gtssl2-ocsp.geotrust.co
> gtglobal-ocsp.geotrust.com
> evcs-ocsp.ws.symantec.com
> svrsecure-oracle-ocsp.verisign.com
> volusion-ocsp.digitalcertvalidation.com                                                                                                                                                                 
> 
> 
> All requests regardless of the URL used have similar format in URI and download a file with the same name as the URI.   
> 
> 
> Hope this helps in some way
> 
> Greg Kay
> 
> 
> -----Original Message-----
> From: McGlamery, Russell [mailto:rmcglamery at ...3965...] 
> Sent: 15 October 2014 13:24
> To: McGlamery, Russell; Greg Kay; 'snort-sigs at lists.sourceforge.net'
> Subject: Re: [Snort-sigs] SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm
> 
> I updated Firefox to version 33 on some of the nodes that were triggering the alerts and the alerts stopped.
> 
> --
> Russ 
> 
> 
> 
> 
> 
> 
> On 10/15/14, 8:02 AM, "McGlamery, Russell" <rmcglamery at ...3965...> wrote:
> 
> >This looks line its something related to older versions of FireFox, I 
> >am trying to verify now.
> >
> >-----
> >Russ
> >
> >
> >
> >
> >On 10/15/14, 7:24 AM, "Greg Kay" <gkay at ...3961...> wrote:
> >
> >>Hi,
> >>
> >>We are getting a large amount of hits for this domain which appears to 
> >>be Symantec owned.  Fairly certain this is a false positive.
> >>
> >>* 1:32174 <-> ENABLED <-> BLACKLIST DNS request for known malware 
> >>domain sr.symcd.com - Osx.Backdoor.iWorm (blacklist.rules)
> >>* 1:32173 <-> ENABLED <-> BLACKLIST DNS request for known malware 
> >>domain s2.symcb.com - Osx.Backdoor.iWorm (blacklist.rules)
> >>
> >>IP address is associated with geotrust, thawte and verisign as well.
> >>
> >>Have checked the references to virustotal but haven't seen anything there
> >>suggesting its bad.   Maybe I'm missing something.
> >>www.virustotal.com/en/domain/s2.symcb.com/information/
> >>www.virustotal.com/en/domain/sr.symcd.com/information/
> >>
> >>
> >>
> >>Thanks
> >>
> >>Greg Kay
> >>
> >>======================================================================
> >>===
> >>=
> >>===
> >>
> >>netConsult is the trading name of nMSS Limited.
> >>Telephone (UK) +44 20 7100 3310
> >>Telephone (US) +1  646 465 7620
> >>
> >>Registered in England and Wales: Company No 4509492, VAT No 802254076 
> >>Registered Office: 19-20 Bourne Court, Southend Road, Woodford Green, 
> >>IG8 8HD
> >>
> >>Important Notice:
> >>This message is for the named recipient(s) use only. It may contain 
> >>confidential, proprietary, or legally privileged information.
> >>No confidentiality or privilege is waived or lost by any mistransmission.
> >>If you have received this message by error, please immediately notify 
> >>the sender, delete it and all copies of it from your system, destroy 
> >>any hard copies, and notify postmaster at ...3962...
> >>If you are not the intended recipient, you must not use, disclose, 
> >>distribute, print, or copy any part of this message directly or 
> >>indirectly.
> >>Unless otherwise stated, all quoted prices exclude VAT. Please see our 
> >>Terms & Conditions for further details.
> >>
> >>
> >>----------------------------------------------------------------------
> >>---
> >>-
> >>----
> >>Comprehensive Server Monitoring with Site24x7.
> >>Monitor 10 servers for $9/Month.
> >>Get alerted through email, SMS, voice calls or mobile push notifications.
> >>Take corrective actions from your mobile device.
> >>http://p.sf.net/sfu/Zoho
> >>_______________________________________________
> >>Snort-sigs mailing list
> >>Snort-sigs at lists.sourceforge.net
> >>https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >>http://www.snort.org
> >>
> >>
> >>Please visit http://blog.snort.org for the latest news about Snort!
> >
> >
> >-----------------------------------------------------------------------
> >---
> >----
> >Comprehensive Server Monitoring with Site24x7.
> >Monitor 10 servers for $9/Month.
> >Get alerted through email, SMS, voice calls or mobile push notifications.
> >Take corrective actions from your mobile device.
> >http://p.sf.net/sfu/Zoho
> >_______________________________________________
> >Snort-sigs mailing list
> >Snort-sigs at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >http://www.snort.org
> >
> >
> >Please visit http://blog.snort.org for the latest news about Snort!
> 
> =============================================================================
> 
> netConsult is the trading name of nMSS Limited.
> Telephone (UK) +44 20 7100 3310
> Telephone (US) +1  646 465 7620 
> 
> Registered in England and Wales: Company No 4509492, VAT No 802254076 
> Registered Office: 19-20 Bourne Court, Southend Road, Woodford Green, IG8 8HD 
> 
> Important Notice:
> This message is for the named recipient(s) use only. It may contain confidential, proprietary, or legally privileged information. 
> No confidentiality or privilege is waived or lost by any mistransmission. If you have received this message by error, please immediately 
> notify the sender, delete it and all copies of it from your system, destroy any hard copies, and notify postmaster at ...3962... 
> If you are not the intended recipient, you must not use, disclose, distribute, print, or copy any part of this message directly or indirectly. 
> Unless otherwise stated, all quoted prices exclude VAT. Please see our Terms & Conditions for further details.
> 
> 
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://p.sf.net/sfu/Zoho
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141015/9adb8606/attachment.html>


More information about the Snort-sigs mailing list