Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Malware Soup du Jour - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malware Soup du Jour
As an avid reader of this diary, you know of course that things are not always what they appear to be. As was the case with a user today, who after hitting a convoluted set of exploit files ended up where his browser tried to download files from us6-redhat520-com. No, this isn't RedHat Inc. And no, the HTMs coming from there are not HTMs but EXEs in disguise. In the meantime, the more nimble of the AV vendors even came up with names for the critter:  Backdoor.Generic.U (McAfee) and Troj_Agent.PUE (Trend).  The hoster of the site has been informed, the owner of the domain and site seems to be located in China.

In other cases, though, things sometimes are what they appear to be. While today investigating a malware sample coming from 81.29.241.231, I noticed that in the past month we had analyzed almost a dozen samples coming from the same 81.29.241.0/24 address range. Good enough an indication for me that putting this address range "off limits" for my systems is time well invested. The address range is located in Moscow, Russia, so unless your users are located there or do a lot of business with Moscow, chances are small that blocking the entire address range will have side effects.
Daniel

367 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!