Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2013 > December

Over the past 90 days the RSA FirstWatch team has seen over 140 Dynamically Generated Algorithmic (DGA) Domains associated with a CryptoLocker variant that has been sinkholed, preventing the ransomware from locking up victim computers.  In this case, all of the domains are in the "" Top Level Domain.




Rather than providing a list of each of these domains, it is actually quite easier to detect these connection attempts to these hosts, and all of the others yet to appear, by looking for the unique server banner hosted at the Sinkhole Site.  Here is what a session of this traffic looks like:



See the highlighted "You got served!" server banner?  Each of the 140 plus DGA connections each had this unique server banner.  This would make for a very easy rule to detect beaconing to this particular family of CryptoLocker.


You can add this to another Security Analytics capture detection capability to detect the keyword "sinkhole" in a DNS name, which is effective at detecting other sinkholed malicious sites.  The combination rule would be: contains 'sinkhole' || server='You got served!'


Simply call the rule "Sinkholed Domains Warning Banners" and alert to your alerts field or SOC Alerts field, or perhaps risk.warning.


In addition, the same capture rule can be used as a custom query to search in the past for these specific meta elements, so you might be able to identify past sinkholed connection attempts.


Hope it works for you, and Happy Hunting!


Jan-31-2014 UPDATE!!


As a followup, we have identified several domains for this CryptoLocker variant that is not sinkholed.  Those domains are:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,


It would be easier to blacklist the following IP addresses since there may be many more DGA domains that we haven't seen.  Those IPs are:,,,,,,,,,,,,,


The best rule to detect this CryptoLocker Variant would be:


action=put && filename='<none>' && directory='/home/' &&'http post missing content-type'

RSAFirstWatch has been tracking a new variant of CryptoLocker, a malware family that will lock a local system until a ransom is paid to the malware author.  This variant has a very specific beaconing pattern, and the detection rule for it is included below.


Once infected, a local system will display the following on the screen:



The local system calls a specific HTML or PHP page at a command and control server, which returns a binary encoded string.  A session capture is below.




We have been tracking this malware for a while, and most of the hostnames this malware communicates with have already been added to the FirstWatch C2 Domains feed.  There are some new domains that will be added to this feed today as well.  The new domains are:,,,


For those that do not subscribe to the FirstWatch feeds, you may be able to create a local feed to detect the following domains:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,


To detect the beaconing pattern, create a new rule on your decoders.  Alert it to your alert field.

Call the rule CryptoLocker Beaconing.  The rule content is:

service=80 && extension=html,php && attachment exists && filename length 40-u

Attached is a PCAP you can use to test your rule.


Good luck and Happy Hunting!

Filter Blog

By date: By tag: