Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2013 > November

A new version of RSA Security Analytics has been released
and is now available to customers.
Version 10.3, follows on the heels of the 10.2 version released earlier
this year, and includes a number of significant enhancements.


The most significant change was the addition of two
additional modules.  Added to the lineup
is the new Security Analytics Archiver, and the Security Analytics Event Stream
Analysis module.


The ARCHIVER provides long term storage, Indexes, and
compresses log data. It is available in different sized increments based on
amount of device data and length of time.
The archiving storage is optimized for long term data retention through
compression and supports forensic analysis, and compliance reporting.


EVENT STREAM ANALYSIS module processes large volumes of
disparate event data along with network packet metadata.  It brings meaning through correlation and
real time alerting of security and packet data flowing through your enterprise.


Additional updates to the 10.3 release include:



  • Support for SNMPv3
  • Improved performance on reporting and
  • Enhanced MS Windows collection
  • User configurable event filtering
  • New Rule Builder to enable customer defined
    correlation rules
  • …and more!


Congratulations to the product team for continuing to evolve
and improve RSA Security Analytics with a great list of updates!  For more details on this new release, see the
RSA Security Analytics Website.

We detected a new variant of malware that engages in search engine abuse to elevate search results for specific topics in popular search engines.  Here is the summary of the malware over at VirusTotal.  At the time of this writing, only 3 AV companies can detect this variant, and the descriptions-  specifically Zbot and Winlock, do not appear to be accurate based on how the malware behaves in our sandbox.


We are calling this "50-Troting Shell Hook" because the first download this malware performs is a DLL file from, and installs a command shell hook onto the system.


What makes this variant unique is that it is easily detected with an application rule in Security Analytics.  First, let's take a look at the pattern that we detected that prompted our investigation:



There were several beacon checkins to servers highlighted above, each connecting to the Search filename in the root directory followed by a specific query string that is 35 characters in length beginning with "id=".


The following hosts participate in the beacon activity, and each has been added to the RSA FirstWatch feed of known C2 Domains:,,,,,,,,,,,,,,,,,,,,,,


To accurately flag this activity in your environment, you can try to implement the following app rule:


directory='/' && filename='search' && query exists && query length 35 && query begins "id="


Name the Rule "Search File Malware Beaconing" and alert it into your Soc Alerts key or Risk.Warning.


The same app rule string can also be used to run a custom query against your existing collection, to see if there has been any activity in the past.  This specific malware was first seen back on October 30, so you won't need to look that far back in the past.  But this specific search might be slow since it invokes a "begins with" clause at the end.  While that will work okay with an app rule, you might find that the search will go faster if you drop that last && query begins "id="


Simply look for any queries that begin with the "id=" and you will know you have some hits.


For those interested, I've included the PCAP of this specific malware run.  You can use it to test your rules.  The large size is due to the fact that this malware automatically streams several videos from video providers over port 1935, as it also engages in video ranking abuse.


Happy Hunting!

Filter Blog

By date: By tag: