Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm

From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Thu, 16 Oct 2014 08:26:10 -0400
Sid 32173 32174 have been deleted. The traffic these rules matched on was
erroneously marked as being malicious.

Alex McDonnell
TALOS
On Oct 15, 2014 9:21 AM, "Y M" <snort () outlook com> wrote:


Same here, issue is not restricted to Firefox and does not seem OS/device
specific. We are getting these on SID:32173 as well.

YM


From: gkay () netconsult co uk
To: rmcglamery () pencor com; snort-sigs () lists sourceforge net
Date: Wed, 15 Oct 2014 12:47:11 +0000
Subject: Re: [Snort-sigs] SID 32174 BLACKLIST DNS request for known

malware domain sr.symcd.com - Osx.Backdoor.iWorm


Our side not restricted to FireFox. However, looking at the other

traffic between our clients and the IP address 23.43.75.27 it seems to be
OCSP requests.


sr.symcd.com
gtssl2-ocsp.geotrust.co
gtglobal-ocsp.geotrust.com
evcs-ocsp.ws.symantec.com
svrsecure-oracle-ocsp.verisign.com
volusion-ocsp.digitalcertvalidation.com


All requests regardless of the URL used have similar format in URI and

download a file with the same name as the URI.



Hope this helps in some way

Greg Kay


-----Original Message-----
From: McGlamery, Russell [mailto:rmcglamery () pencor com]
Sent: 15 October 2014 13:24
To: McGlamery, Russell; Greg Kay; 'snort-sigs () lists sourceforge net'
Subject: Re: [Snort-sigs] SID 32174 BLACKLIST DNS request for known

malware domain sr.symcd.com - Osx.Backdoor.iWorm


I updated Firefox to version 33 on some of the nodes that were

triggering the alerts and the alerts stopped.


--
Russ






On 10/15/14, 8:02 AM, "McGlamery, Russell" <rmcglamery () pencor com>

wrote:



This looks line its something related to older versions of FireFox, I
am trying to verify now.

-----
Russ




On 10/15/14, 7:24 AM, "Greg Kay" <gkay () netconsult co uk> wrote:


Hi,

We are getting a large amount of hits for this domain which appears to
be Symantec owned. Fairly certain this is a false positive.

* 1:32174 <-> ENABLED <-> BLACKLIST DNS request for known malware
domain sr.symcd.com - Osx.Backdoor.iWorm (blacklist.rules)
* 1:32173 <-> ENABLED <-> BLACKLIST DNS request for known malware
domain s2.symcb.com - Osx.Backdoor.iWorm (blacklist.rules)

IP address is associated with geotrust, thawte and verisign as well.

Have checked the references to virustotal but haven't seen anything

there

suggesting its bad. Maybe I'm missing something.
www.virustotal.com/en/domain/s2.symcb.com/information/
www.virustotal.com/en/domain/sr.symcd.com/information/



Thanks

Greg Kay

======================================================================
===
=
===

netConsult is the trading name of nMSS Limited.
Telephone (UK) +44 20 7100 3310
Telephone (US) +1 646 465 7620

Registered in England and Wales: Company No 4509492, VAT No 802254076
Registered Office: 19-20 Bourne Court, Southend Road, Woodford Green,
IG8 8HD

Important Notice:
This message is for the named recipient(s) use only. It may contain
confidential, proprietary, or legally privileged information.
No confidentiality or privilege is waived or lost by any

mistransmission.

If you have received this message by error, please immediately notify
the sender, delete it and all copies of it from your system, destroy
any hard copies, and notify postmaster () netconsult co uk.
If you are not the intended recipient, you must not use, disclose,
distribute, print, or copy any part of this message directly or
indirectly.
Unless otherwise stated, all quoted prices exclude VAT. Please see our
Terms & Conditions for further details.


----------------------------------------------------------------------
---
-
----
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push

notifications.

Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!



-----------------------------------------------------------------------
---
----
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push

notifications.

Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!




=============================================================================


netConsult is the trading name of nMSS Limited.
Telephone (UK) +44 20 7100 3310
Telephone (US) +1 646 465 7620

Registered in England and Wales: Company No 4509492, VAT No 802254076
Registered Office: 19-20 Bourne Court, Southend Road, Woodford Green,

IG8 8HD


Important Notice:
This message is for the named recipient(s) use only. It may contain

confidential, proprietary, or legally privileged information.

No confidentiality or privilege is waived or lost by any

mistransmission. If you have received this message by error, please
immediately

notify the sender, delete it and all copies of it from your system,

destroy any hard copies, and notify postmaster () netconsult co uk.

If you are not the intended recipient, you must not use, disclose,

distribute, print, or copy any part of this message directly or indirectly.

Unless otherwise stated, all quoted prices exclude VAT. Please see our

Terms & Conditions for further details.





------------------------------------------------------------------------------

Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!



------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: