[Snort-sigs] SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm

Alex McDonnell amcdonnell at ...435...
Thu Oct 16 08:26:10 EDT 2014


Sid 32173 32174 have been deleted. The traffic these rules matched on was
erroneously marked as being malicious.

Alex McDonnell
TALOS
On Oct 15, 2014 9:21 AM, "Y M" <snort at ...3751...> wrote:

> Same here, issue is not restricted to Firefox and does not seem OS/device
> specific. We are getting these on SID:32173 as well.
>
> YM
>
> > From: gkay at ...3961...
> > To: rmcglamery at ...3965...; snort-sigs at lists.sourceforge.net
> > Date: Wed, 15 Oct 2014 12:47:11 +0000
> > Subject: Re: [Snort-sigs] SID 32174 BLACKLIST DNS request for known
> malware domain sr.symcd.com - Osx.Backdoor.iWorm
> >
> > Our side not restricted to FireFox. However, looking at the other
> traffic between our clients and the IP address 23.43.75.27 it seems to be
> OCSP requests.
> >
> > sr.symcd.com
> > gtssl2-ocsp.geotrust.co
> > gtglobal-ocsp.geotrust.com
> > evcs-ocsp.ws.symantec.com
> > svrsecure-oracle-ocsp.verisign.com
> > volusion-ocsp.digitalcertvalidation.com
> >
> >
> > All requests regardless of the URL used have similar format in URI and
> download a file with the same name as the URI.
> >
> >
> > Hope this helps in some way
> >
> > Greg Kay
> >
> >
> > -----Original Message-----
> > From: McGlamery, Russell [mailto:rmcglamery at ...3965...]
> > Sent: 15 October 2014 13:24
> > To: McGlamery, Russell; Greg Kay; 'snort-sigs at lists.sourceforge.net'
> > Subject: Re: [Snort-sigs] SID 32174 BLACKLIST DNS request for known
> malware domain sr.symcd.com - Osx.Backdoor.iWorm
> >
> > I updated Firefox to version 33 on some of the nodes that were
> triggering the alerts and the alerts stopped.
> >
> > --
> > Russ
> >
> >
> >
> >
> >
> >
> > On 10/15/14, 8:02 AM, "McGlamery, Russell" <rmcglamery at ...3965...>
> wrote:
> >
> > >This looks line its something related to older versions of FireFox, I
> > >am trying to verify now.
> > >
> > >-----
> > >Russ
> > >
> > >
> > >
> > >
> > >On 10/15/14, 7:24 AM, "Greg Kay" <gkay at ...3961...> wrote:
> > >
> > >>Hi,
> > >>
> > >>We are getting a large amount of hits for this domain which appears to
> > >>be Symantec owned. Fairly certain this is a false positive.
> > >>
> > >>* 1:32174 <-> ENABLED <-> BLACKLIST DNS request for known malware
> > >>domain sr.symcd.com - Osx.Backdoor.iWorm (blacklist.rules)
> > >>* 1:32173 <-> ENABLED <-> BLACKLIST DNS request for known malware
> > >>domain s2.symcb.com - Osx.Backdoor.iWorm (blacklist.rules)
> > >>
> > >>IP address is associated with geotrust, thawte and verisign as well.
> > >>
> > >>Have checked the references to virustotal but haven't seen anything
> there
> > >>suggesting its bad. Maybe I'm missing something.
> > >>www.virustotal.com/en/domain/s2.symcb.com/information/
> > >>www.virustotal.com/en/domain/sr.symcd.com/information/
> > >>
> > >>
> > >>
> > >>Thanks
> > >>
> > >>Greg Kay
> > >>
> > >>======================================================================
> > >>===
> > >>=
> > >>===
> > >>
> > >>netConsult is the trading name of nMSS Limited.
> > >>Telephone (UK) +44 20 7100 3310
> > >>Telephone (US) +1 646 465 7620
> > >>
> > >>Registered in England and Wales: Company No 4509492, VAT No 802254076
> > >>Registered Office: 19-20 Bourne Court, Southend Road, Woodford Green,
> > >>IG8 8HD
> > >>
> > >>Important Notice:
> > >>This message is for the named recipient(s) use only. It may contain
> > >>confidential, proprietary, or legally privileged information.
> > >>No confidentiality or privilege is waived or lost by any
> mistransmission.
> > >>If you have received this message by error, please immediately notify
> > >>the sender, delete it and all copies of it from your system, destroy
> > >>any hard copies, and notify postmaster at ...3962...
> > >>If you are not the intended recipient, you must not use, disclose,
> > >>distribute, print, or copy any part of this message directly or
> > >>indirectly.
> > >>Unless otherwise stated, all quoted prices exclude VAT. Please see our
> > >>Terms & Conditions for further details.
> > >>
> > >>
> > >>----------------------------------------------------------------------
> > >>---
> > >>-
> > >>----
> > >>Comprehensive Server Monitoring with Site24x7.
> > >>Monitor 10 servers for $9/Month.
> > >>Get alerted through email, SMS, voice calls or mobile push
> notifications.
> > >>Take corrective actions from your mobile device.
> > >>http://p.sf.net/sfu/Zoho
> > >>_______________________________________________
> > >>Snort-sigs mailing list
> > >>Snort-sigs at lists.sourceforge.net
> > >>https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > >>http://www.snort.org
> > >>
> > >>
> > >>Please visit http://blog.snort.org for the latest news about Snort!
> > >
> > >
> > >-----------------------------------------------------------------------
> > >---
> > >----
> > >Comprehensive Server Monitoring with Site24x7.
> > >Monitor 10 servers for $9/Month.
> > >Get alerted through email, SMS, voice calls or mobile push
> notifications.
> > >Take corrective actions from your mobile device.
> > >http://p.sf.net/sfu/Zoho
> > >_______________________________________________
> > >Snort-sigs mailing list
> > >Snort-sigs at lists.sourceforge.net
> > >https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > >http://www.snort.org
> > >
> > >
> > >Please visit http://blog.snort.org for the latest news about Snort!
> >
> >
> =============================================================================
> >
> > netConsult is the trading name of nMSS Limited.
> > Telephone (UK) +44 20 7100 3310
> > Telephone (US) +1 646 465 7620
> >
> > Registered in England and Wales: Company No 4509492, VAT No 802254076
> > Registered Office: 19-20 Bourne Court, Southend Road, Woodford Green,
> IG8 8HD
> >
> > Important Notice:
> > This message is for the named recipient(s) use only. It may contain
> confidential, proprietary, or legally privileged information.
> > No confidentiality or privilege is waived or lost by any
> mistransmission. If you have received this message by error, please
> immediately
> > notify the sender, delete it and all copies of it from your system,
> destroy any hard copies, and notify postmaster at ...3962...
> > If you are not the intended recipient, you must not use, disclose,
> distribute, print, or copy any part of this message directly or indirectly.
> > Unless otherwise stated, all quoted prices exclude VAT. Please see our
> Terms & Conditions for further details.
> >
> >
> >
> ------------------------------------------------------------------------------
> > Comprehensive Server Monitoring with Site24x7.
> > Monitor 10 servers for $9/Month.
> > Get alerted through email, SMS, voice calls or mobile push notifications.
> > Take corrective actions from your mobile device.
> > http://p.sf.net/sfu/Zoho
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://p.sf.net/sfu/Zoho
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141016/fa5c95b9/attachment.html>


More information about the Snort-sigs mailing list