Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2014 > February
2014

Since the beginning of February 2014, FirstWatch has seen a surge of Zusy malware in our database.  Fortunately, this botnet is simple to detect.  Here is what we've been seeing, starting with a session.  You can see below that there is a post of a long hex string directly to an IP address instead of a hostname, using Firefox 25.  You can also see some encoded traffic within the put strings, as well as encoded responses from the server.

 

78748

This specific malware is identified at VirusTotal here as Zusy.

 

This specific botnet uses the same posted filename over and over for each of its c2 hosts.  Drilling into the filename in our database reveals the following meta, showing that we have seen this filename 35,000 times since Feb 4.  You can also see that each put command uses the url-encoding content type.

 

78749

78759

78760

You will also note that this traffic is destined to a proxy port of 8080 and the SSL port of 443, however, the traffic is not encrypted.

 

By creating a simple rule of:

filename=5e1d22ded7346cca22681d1e1dca1146ee099a3faf

 

you can detect the many variants of Zusy since each seems to reuse this beaconing technique.

 

The destination IP addresses above that were seen to host the Command and Control services for this botnet have been added to the FirstWatch C2 feeds.

 

Good luck and happy hunting!

 

UPDATE!!

As it turns out, the filename shown above is unique to our environment.  It appears to be a hash of some sort, and we are investigating further to determine what that hash is based upon.  ThreatGrid is currently seeing the same activity, but from their sandbox, all beacon filenames are different-  Their's is '46BC3A3BE440F54B18E7171E0C62710CCC46D034B9', and it never changes from the multiple variants of this malware they have captured.

 

So while the above rule would work great for us, it won't work for you.  A better rule for now would be to search for the unique User-Agent string, which shows a Jan 1 2010 version of Firefox 25.  Your rule would be:

client='mozilla/5.0 (windows nt 6.1; wow64; rv:25.0) gecko/20100101 firefox/25.0'

 

There is more to this malware, and we will be updating the community soon with a follow-on story.  Stay tuned!

Lately, RSA FirstWatch has seen an increase in malware samples that engage in Webflood DDoS attacks. A DDoS attack against a webserver is easy to see but hard to detect. That is, its network behavior can’t be unique enough to help you in filtering it out in the future in order to look for new and unknown intelligence. However, it’s not always the case as malware authors introduce some indicators that can make your task as an investigator easier as explained in this post.

 

One of our Security Analytics reports look for hostnames that are involved in web traffic in our sandbox environment. That report is tuned to filter out ad servers and exe downloaders in order to focus on identifying new patterns. Investigating the top result of today’s report showed us a large number of HTTP sessions between the same source IP address and the destination hostname. That could be a sign of webflood DDoS attack but can we confirm that? And more importantly, can we spot a pattern?

 

78826

 

In RSA Security Analytics, you can refocus your investigation on a certain meta value to find out all the network traffic associated with that value of interest.


78827



In the screenshot below, you can see that the source IP address was involved in malicious and suspicious network behavior. You can also see a large number of HTTP sessions.


78828


Looking only at those HTTP sessions, we recognized a pattern that can help identifying this kind of webflood DDoS attacks in the future. The malware author decided to use very long and dynamically generated user names in the HTTP requests.


78829


You could create a rule and call it for example DDoS Username Length Flood. Alert it to your Alerts field or Risk.Suspicious. The contents would be:

               username length 40-u


VirusTotal has a very poor detection rate for the sample examined in this post.








As a followup to this previous post about detecting Distributed Denial of Service Malware, FirstWatch wanted to share a way to reliably detect a Kazy Variant that engages in DDoS attacks against webservers. 

 

Malware that uses an internal host to launch Denial of Service attacks outbound could have a big impact on an Enterprise.  First, it floods the Enterprise’s own infrastructure with connection attempts, and while an infected host is DDoSing an internet site, it is also degrading the Enterprise’s network performance.  Secondly, if the attack is successful at getting outbound past the Enterprise firewalls, proxies, and other control systems, such an attack could expose an Enterprise to legal liabilities, and public relations problems. There are many network monitoring services that would alert to such an infection, but this is how it looks in Security Analytics and how to detect it.

 

This first screenshot shows that we have an alert rule to detect this specific web flooding attack. Note that there are several internal infected IP addresses that have engaged in this behavior.  Most of these hosts have been infected with different variants of malware, but the outbound webfloods follow a specific pattern.


78564

The pattern is easier to spot by looking at the filenames.  Each filename lacks an extension, and is dynamically generated by the malware. Each attack also targets the root directory of the victim webservers.  Additionally, the malware uses forged User-Agent strings, however, each user-agent string makes it appear to be originating from a FireFox 3 browser. Finally, the malware targets the destination IP address directly, choosing not to use its DNS or Alias.Host name.


78565

Given these specific characteristics, a good rule to detect these outbound webfloods would be:

 

risk.suspicious='direct to ip http request' && directory='/' && filename length 6 && filename !='<none>'

 

You could also modify this rule to be firefox 3 specific, but should the malware adopt a new UA-String generator, the rule wouldn’t fire. 


One variant of an infector piece of malware is located here at VirusTotal.  It is four months old and is largely identified as Kazy. The infected host in our sandbox also engaged in a Penny Stock Spam campaign.  The HTTP connections are all WebFlood DDoS, but the outbound Spam sessions outnumbered the WebFlood.  See the screenshot below.

 

78566

A sample spam email is shown below:

 

78567

 

The FirstWatch Malicious UA Strings feed was updated with the top UA strings that engaged in this attack.  That feed is available here, and will soon be available via Live Subscription.

 

Good luck in hunting for DDoS malware.  As always, feedback is appreciated!

Overview      

 

This blog post is focused on triaging malicious Microsoft Office documents. Specifically, we are analyzing an older but extremely efficient Rich Text Format (RTF) exploit that masquerades as a Microsoft Word Document. 

 

The exploit in question targets Microsoft’s Security Bulletin MS12-027 (http://technet.microsoft.com/en-us/security/bulletin/ms12-027) and is based on CVE-2012-0158 (http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158). Vulnerable versions of Microsoft Office include Office 2003, 2007 and 2010.

 

During a recent engagement, RSA’s Incident Response Team gathered malware samples that exploited this vulnerability.  In order to share our analysis techniques while protecting the client’s anonymity, we’ll be analyzing a sample from VirusTotal that shares very similar code to the samples found in the client environment.  The details about this sample, “msf.doc”, can be found in figure 1.


Sample detail:

File Name:  msf.doc

File Size:  10296 bytes                                                                                                 

MD5:        41a38ec709daf66b7b5e133991120268

SHA1:       70d494c3826b907a485bd70e70b93b25dc4e37e8

File Type:  RTF

MIME Type:  text/rtf

Warning:    Unspecified RTF encoding. Will assume Latin.


VirusTotal detail:


78488

Figure 1: VirusTotal submission detail of our sample


Viewing this file in a hex editor (010 Editor Version 3.2.2 was used during this analysis) confirms the sample is indeed an RTF file.  Since Microsoft operating systems look at file extensions to associate file types to an application, Microsoft Word was the default program associated with this file type. When we originally encountered the similar sample during Incident Response activities, the attacker targeted vulnerable versions of Microsoft Office, which happened to exist on phished client systems.


78492

Figure 2: RTF header confirmation in a hex editor


Now that we have confirmed that we are dealing with a potentially malicious RTF file, we can utilize Frank Boldewin’s OfficeMalScanner (http://www.reconstructer.org/main.html) suite of tools, which includes multiple analysis tools that assist in analyzing malicious Microsoft Office documents.  We are going to use “RTFScan”, “OfficeMalScanner” and “MalHost-Setup”.  RTFScan scans RTF files for shellcode, and dumps OLE’s and other file containers it discovers for subsequent analysis.  OfficeMalScanner has similar functionality as RTFScan, but analyzes Microsoft Office files including Word (doc), Excel (xls), and PowerPoint (ppt). MalHost-Setup stands up shellcode and is extremely useful during triage of potentially malicious Microsoft Office documents when shellcode exists.  It should be noted that the carving and reconstruction this tool does could also be performed manually with the hex editor of your liking. 


78493

Figure 3: The OfficeMalScanner suite of tools is available at: http://reconstructor.org/main.html


RTFScan and Locating Embedded Files

 

RTFScan has several switches than can be leveraged during analysis; we utilized the “scan” and “debug” switches. The scan switch looks for shellcode and embedded files, while the debug switch attempts to disassemble shellcode if it’s discovered. The syntax (RTFScan.exe OLE_DOCUMENT__msf__1.bin scan debug) can be seen in the first red box in figure 4.


78494

Figure 4: RTFScan in action


The second red box in figure 4 shows that RTFScan discovered and dumped an embedded OLE (Object Linking and Embedding) document inside the RTF.  OLE documents provide a mechanism for Microsoft Office documents to store compound documents from multiple sources allowing Microsoft Office applications (e.g. PowerPoint, Excel, Word) to access this data. Microsoft has a detailed explanation of OLE technology at: http://support.microsoft.com/kb/86008


OfficeMalScanner

 

After utilizing RTFScan to successfully carve “OLE_DOCUMENT__msf__1.bin” from “msf.doc”, OfficeMalScanner needs to be run against The OLE document. Figures 5 and 6 show output from this action. The complete list of OfficeMalScanner’s arguments can be viewed from the usage statement, but for this analysis we are going to focus on the info, scan, brute and debug switches.

  • Info attempts dump OLE structures and locate VB Macro code
  • Scan looks for shellcode and obfuscated/encrypted executables
  • Brute tries several single byte encryption keys


78495

Figure 5: OfficeMalScanner info switch against the OLE document carved with RTFScan

  • Debug attempts to dissemble shellcode if it’s discovered.


78496

Figure 6: OfficeMalScanner scan/brute/debug switches in use against the same OLE document


OfficeMalScanner did not see anything malicious with the OLE object, but in order to confirm this, we manually inspected the file as well. The docx format uses the PK (zip) format to store data and shared resources (more on OLE can be found here: http://msdn.microsoft.com/en-us/library/dd942557.aspx).  The embedded file that was located by RTFScan, was a docx format, so it can be extracted through multiple tools.  We used 7-Zip to expand the compound OLE object by right clicking on “OLE_DOCUMENT__msf__1.bin” and extracting it to a folder as seen in figure 7:


78497

Figure 7:  Extraction of the OLE document in question


Figure 8 outlines the three files from the OLE archive, “[3]ObjInfo”, “[3]OCXNAME” and “Contents”. 

 

File Name:  [3]ObjInfo

File Size:  6 bytes

MD5:        71d6cd4431020c2e44bcf554808ec0da

SHA1:       713afe26462ca0d620a6f12b3d0393d0ef8a137b

 

File Name:  [3]OCXNAME

File Size:  22 bytes

MD5:        ed5954ebe6347144c0d2329658a654ac

SHA1:       92a2db1a9e29b22d6ded4a8b6bc0a8d2b49408b0

 

 

File Name:  Contents

File Size:  1406 bytes

MD5:        5053ca420f0c04744a0e9f152fe9ad55

SHA1:       7fa27324b43afd0e2072886f5eefcc76c48af092


78498

Figure 8: Extracted OLE Objects


Further analysis of the file “[3]OCXNAME” reveals the existence of the string “ListViewA” which refers back to CVE-201200158 (detailed documentation can be found at http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158). The CVE details elaborate on the “ListView” ActiveX controls found in “MSCOMCTL.OCX” as being vulnerable to arbitrary code execution via a crafted RTF file. 


78499

Figure 9: ListViewA string found in “[3]OCXNAME”


By analyzing the “Contents” file, it is not readily apparent that it is malicious but at location 009A we see eight 0x90 bytes in succession. This is a NOP slide (a set of no-operation (no-op) instructions), which is a technique utilized by malware authors as a broad landing spot directing the program execution to the following instructions. RSA IR has frequently observed this technique used in conjunction with shellcode execution in the wild.


78500

Figure 10: no-op instruction found in the “Contents” file


After the series of no-op instructions, 599 bytes of shellcode is found starting at location 0x00A2-0x02F8.


78501

Figure 11: Hex view of the file “Contents”


Additionally, we can confirm the OfficeMalScanner shellcode findings in the “Contents” file by reviewing the original malicious RTF file “msf.doc” in a hex editor.  We can confirm that the same shellcode is found in “msf.doc” starting at location 0x133C, however it needs to be converted from ASCII to Hexadecimal before analysis.  There are several ways to do the ASCII to Hexadecimal conversion, so choose whichever tool or method you are most familiar with. Figure 12 shows the ASCII representation on the right, and Hexadecimal on the left.  Referring back to figure 11 above, we can see that the Hexadecimal values there match up with the ASCII representations in figure 12.


78502

Figure 12: Shellcode as seen in the “MSF.doc” file


Next, the shellcode needs to be extracted for further analysis. To do this in 010 Editor, select and highlight the shellcode between the locations 00A2-02F8 as seen in figure 13 and select “EDIT” à “Copy As” à “Copy as Hex Text”.  This stores the hex values of the shellcode onto the clipboard. Next, open a new hex document by selecting “File” à “New” à “New Hex File”.  Browse to the newly created tab and select “Edit” à “Paste From” à “Paste From Hex Text”.  Now let’s save the shellcode as a file by selecting “File” à “Save As” à “shellcode.sc”.  I saved mine in the OfficeMalScanner for convenience, as we will be using the MalHost-Setup command line tool next for analysis.


78503

Figure 13: Saving the shellcode from the file “Contents”


Now that we have our shellcode successfully saved to shellcode.sc, there are several approaches that can be taken for analysis.  The first option is static analysis through disassembly, which can be done in a disassembler such as IDA Pro.  This is the most difficult method, as the analyst must have a firm understanding of shellcode, assembly and de-obfuscating techniques as this shellcode utilizes a considerable amount of obfuscation to deter analysis.


78504

Figure 14: shellcode.sc loaded as a binary file in IDA Pro


The other method for static analysis, demonstrated below, is to create a working executable with MalHost-Setup. This creates a wrapper around the shellcode allowing it to be executed or debugged. At this point you’ll want to be running in a safe test environment as we are going to be executing live malware. If you’re in a virtualized environment, this is a good time to take a snapshot so you can easily duplicate testing as needed.  My environment has a webserver listening on port 80 & 443, I also create a netcat listener on the fly for ports that my webserver is not listening for and the malware attempts to utilize. Finally, I have a DNS listener that responds to any DNS requests. 

 

Next, we want to turn our shellcode into an executable file that can be run and observed. To do this, navigate to your command shell and run the following from your OfficeMalScanner directory:

 

Syntax: MalHost-Setup.exe shellcode.sc sc.exe 0x00


This creates the executable file “sc.exe” from our shellcode (shellcode.sc) using the code starting at location 0x00, which is the starting location of the shell code in the file. Now that we have our shellcode packaged up as an executable we can execute it and debug the binary, without the dependency of having to have a vulnerable version of Microsoft Office available or analyzing the shellcode statically.  The goal here is to triage the malicious document rapidly and answer questions about its core functionality.

 

In figure 15 below we see the successful execution of our shellcode, “sc.exe”. 


78505

Figure 15: sc.exe executing at a command shell


The Network activity seen in figure 16 is the key functionality of the shellcode, as it does nothing else.  Our shellcode attempts to create a TCP handshake with the IP “192.168.218.129”, a private, RFC 1918 compliant IP address.


78506

Figure 16: Successful Shellcode execution yields the following TCP handshake


Detection

 

Yara signatures are an extremely useful means to detect malicious code that is embedded in office documents.   Below is a fairly basic Yara rule written by RSA to detect shellcode in RTF documents.  Our rule has two strings that it searches for, “rtfmagic” and “scregex” which exist in the strings section of our rule.

 

The first string, “rtfmagic”, looks for the five hex bytes “{7B 5C 72 74 66}” which represent “{\rtf” in ASCII.  This represents one of the popular headers that RTF documents utilize. There are several variations of the RTF header, but most all contain at least these five characters.

 

The second string, “scregex”, is written in the form of a regular expression (REGEX). First our REGEX looks for the characters “[39 30]” which is the ASCII representation of hex “90” a NOP instruction.   We expect to find multiple instances of these, which represent a NOP sled in a malicious Word or RTF document.  Our test file “msf.doc” contains 8 NOP instructions.  The second part of the REGEX, “{2,20}” looks at least 2 but no more than 20 instances of the bytes “39 30”sequentially.

 

Finally, the condition for our rule to trigger is finding the bytes “7B 5C 72 74 66” (represented as “rtfmagic”) to begin at byte 0 of the document, the very beginning of the file.  This confirms that we are working with a RTF file. If this is met, the REGEX in the string “scregex” must be found. If both exist, then our Yara signature flags on a file, as we saw in the ECAT screenshot in figure 16 above.

 

rule RTF_Shellcode

{

meta:

                author = "RSA-IR – Jared Greenhill"

                date = "01/21/13"

                description = "identifies RTF's with potential shellcode"

                filetype = "RTF"

 

strings:

                $rtfmagic={7B 5C 72 74 66}

                $scregex=/[39 30]{2,20}/

 

condition:

                ($rtfmagic at 0) and ($scregex)

}

               

We used RSA’s ECAT to aid in Yara scanning, as Yara scanning is native to the tool.  Figure 17 below outlines the successful detection of shellcode existing in “msf.doc”  through our rule “RTF_Shellcode”.


78507

Figure 17: Successful Yara hit on “msf.exe” in ECAT


Conclusion    

This document provides an example for analysts to understand how to triage malicious Microsoft Office documents. The sample we used in this blog was most likely a test document or a proof of concept for CVE-2012-0158, which demonstrates how 599 bytes of malicious shellcode makes an unassuming RTF file weaponized. Additionally it provides analysts the use case, to test and understand readily available, free tools to triage malicious Microsoft Office documents.

RSA FirstWatch has reviewed the Kaspersky Careto research paper located at SecureList here.  We have gathered the listed indicators of compromise and have searched our own internal databases to validate the threats and to determine if there is anything more we can add to the research.  We have been unable to corroborate these IOC's as being involved with any current malware.  However, this APT threat dates back several years and our own internal data does not.

 

We wanted to include these IOCs in our threat feeds.  We have two new threat feeds that will house Indicators of Compromise that are publicized by third party research organizations.  One feed will be dedicated to Hostnames and the second, dedicated to known malicious IP addresses.  This feed will be available via the Live Subscription.

These feeds will appear in Live as:

nwrsa_third_party_ioc_domain
nwrsa_third_party_ioc_ip

 

As time goes on and other organizations make IOCs public, we will update this feed with those meta elements.

 

FirstWatch wanted to take a moment to instruct organizations how to scrape indicators of compromise from other intelligence sources to create feeds for internal use.  Many organizations subscribe to private whitepapers that are not for public consumption, such as ISACs, Government organizations and specialized sectors.

 

Using the above Careto research paper as an example, we were able to create two simple CSV files, which are attached to this post.  Using this as an example feed, organizations can append their own IOC research from other published indicators.

 

In addition to the hostnames and IP addresses, other indicators showed that there were really two types of web files requested for the Command and Control.  Those two filenames, since they fit a pattern, would be good for creating a simple rule, which is below.

 

Rule Name:  Possible Careto IOC

Syntax:  directory='/cgi-bin/' && filename=commcgi.cgi,index.cgi

Set to:  Alert Key

 

In our FirstWatch labs, there is some rate of false positives, specifically for index.cgi.  But should the attackers change their infrastructure, but keep their methods of attack, this rule should be adequate for detection.

 

However, if this is coupled to a threat source rule that would combine an IP or Hostname match with the rule above, it should be a strong indication of a compromise.  Use a second rule as follows:

 

Rule Name:  Positive Careto IOC Match

Syntax:  alert='possible careto ioc' && threat.source='Third Party Publicized IOCs'

Set to:  Alert Key (or risk.warning, etc)

 

See our previous posts on using the SA Live Feed Manager to deploy this CSV file as a feed.  In the case of the IP address feed, set the feed to IP based feed, index column 1, and map column 2, 3 and 4 to feed.name, feed.category and feed.description.

 

For the Hostname feed, set the feed to non-IP, index column 1 and set the meta callback to alias.host.  Then map column 2, 3 and 4 to feed.name, feed.category and feed.description.

 

We will be adding the attached CSV files as Live feeds soon.  Look for official notifications and be sure to subscribe to the feed for automatic updates.  As new emergent threats are published by third party research organizations, we will update this feed, along with links to those research documents.

 

Good Luck and Happy Hunting!

RSA FirstWatch’s primary mission is to find new intelligence about threats and malware and publish those indicators of compromise into our FirstWatch feeds.  We don’t often look at old intelligence.  Once we know about something, we automate the tracking and detection of that known threat so we can concentrate on looking for new intelligence.  But one known botnet published a list of new Dynamically Generated Domain names today, and it caught our attention.  As we investigated, we were surprised to learn that one malware family associated with Cutwail malware was launching a Denial of Service attack against the infrastructure of a botnet associated with Zbot, Zeus and Blackhole.

 

Our investigation started by reviewing our automated report that looks for DNS names that do not resolve. It is a strong indicator of DGA names, or hard-coded malware that is waiting for its command and control server to come online.  By clicking on the hyperlink in the report, we could see the source IP addresses attempting to communicate with this known Zbot/Zeus.  Each of these new DGA domains have been added to the FirstWatch feed.

78403

 

When we looked at the infector malware that generated this traffic, we found an IP address in the VirusTotal report that is a popular botnet command and control server.  That IP is 195.22.26.231.  A google search of the IP shows that it has been detected to participate in Zeus, and that it has been hosting dynamically generated algorithmic domains.  The MalwareMustDie blog delves into an earlier variant of this malware.

 

Here is what our malware database shows when we do a focused drill on this as a destination IP address.  It has a long history of malicious activity.  We have been tracking this IP address since mid August, and it is associated with known Zbot, kryptik, bitcoin mining, and several additional variants of Zeus.  Highlighted in the first figure are hundreds of thousands of connections of zero payload, but we will discuss this further in a moment.


78404


In the next screenshot you will see that several threat sources besides FirstWatch recognize that this host is malicious.  Comments in the threat descriptions track the varying malware campaigns this host has been involved with, including the blackole exploit kit.  Additionally, you can see from the detected service types that this host has also engaged in spam campaigns and even delivers malware via IRC and BitTorrent.

 

78429

 

The one obvious standout in the above screencaps was the amount of “zero payload” sessions detected. I drilled into that alert and was surprised to find just a single IP address responsible for the traffic.  You will see our destination IP of interest, 195.22.26.231 listed second in the figure below.  You will also see that there are other IP addresses within that same netblock as well as others, each receiving over 8000 connections on TCP port 443. This malware is obviously engaged in Denial of Service attacks, blasting these IPs with over 300,000 connections in less than a minute.

 

78430

 

We researched the other destination IP addresses under attack, and each one has been previously listed by FirstWatch as having been related to Zeus and Zbot command and control hosts.

 

The infector malware that launched the attack can be seen here at VirusTotal.  Most AV vendors agree that this is a sample of the Cutwail bot. Like most botnets, the malware can participate in DDoS attacks.

 

In summary, malware authors using the Cutwail framework are actively engaging in attacks against Zbot and Zeus command and control infrastructure.  This suggests fierce competition within the criminal underground.

 

RSA customers subscribing to the FirstWatch Live feeds have detection for each of the indicators of compromise listed above.

Dear Valued RSA Customer,

RSA is pleased to announce the addition of new and updated content to RSA Live’s Content Library. This is a large update and our format has changed a bit, so please take a moment to review the various sections in this announcement to become familiar with the latest tools we are providing you to detect threats to your environment.

 

The categories of new and updated content is as follows:

Event Stream Analysis Rules

Log Collector

Log Parsers

LUA Parsers

Yara Rules

Flex Parsers

Reports

Report Engine Rules

 

Seeking Customer Developed Parsers, Rules and Reports

 

Security Analytics content will be evolving in 2014, both in functionality and presentation. We would like to work more closely with our customers in order to provide content that helps you find the threats that matter most to you. Your feedback, suggestions, and general questions are always appreciated.

 

1) Have you created a parser, rule, or report that you would be helpful to the broader RSA User Community? If so, let us know about it!  Reach out to us via email at:

 

ASOC.Content@rsa.com

 

Your emails will go directly to the content management team and we are looking forward to working with you to help evolve our content offering.

 

2) Do you want to request support for a new log source or protocol?


For Log Parser Requests go here: https://emcinformation.com/64308/REG/.ashx

For Protocol Parser Requests go here: https://emcinformation.com/139605/SI/.ashx

 

3) The content team will also be heavily engaged with the EMC Community portal this year. Not only is the Community a great place for us to communicate directly with our customers, but it’s a wonderful resource for our customers to gain tips and tricks from our research engineers as well as gain early access to our various pieces of security research. Not a member? Sign up here:

 

https://developer-content.emc.com/login/register.asp

 

The Latest Threat Research From RSA

 

- Our RSA Incident Response Team’s research dissecting Shell Crew and their malicious tactics, techniques, and procedures was recently released. As a supplement to this report we have released a digital appendix of content that can be utilized in Security Analytics as well as RSA ECAT to help identify stances of Shell Crew.  RSA Security Analytics customers can subscribe to this content via RSA Live.  The full report can be found here:

 

http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf

 

- RSA FirstWatch Intelligence Team published a well received article about the Chewbacca Trojan and it’s role in stealing payment card data here:

 

https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/01/30/rsa-uncovers-new-pos-malware-operation-stealing-payment-card-personal-information

 

- Also, below are FirstWatch Intelligence Team’s recent Feeds:

 

Malicious Filename Feed

https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/01/31/deprecated-feeds-and-the-new-malicious-filename-feed

 

Malicious UA Feed

https://community.emc.com/thread/187497

 

Zbot Detection Feed:

https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/01/22/you-can-install-the-firstwatch-zbot-feed

 

How To Receive Notifications And Announcements

One final thought, if you haven’t already registered to RSA’s SecurCare Online support site, please do so. Being a member allows you to subscribe to notifications and announcements for the entire suite of RSA security products. From new release announcements to end of support notifications, SecurCare Online keeps you informed about what’s happening with your RSA product.

 

We look forward to forging a stronger relationship with you in 2014 as we move to evolve our content and enhance your improve your total content experience.

 

If you have suggestions about how you would like to see this type of messaging formatted in the future, let us know about it. Please keep in mind that this is an unusually large update and future notifications will be much smaller.

 

 

 

Content Updates

 

New Event Stream Analysis Rules for Correlation and Complex Event Processing

 

 

Title: Multiple login failures from same source for username that does not exist

Desc: Alert when log events contain multiple login failures due to username that does not exist from same source in 180 seconds. It is different from the username which exists but fail to logon because of bad password. Over here, the user itself does not exist and is trying to logon multiple times from same machine. Both the time window and number of failed logins are configurable.

 

Title: Multiple failed logins from a single user from multiple different sources to same destination in X seconds

Desc: Alert when log events contain multiple failed logins from a single user from multiple different sources to same destination in 3600 seconds. Both the time window and number of failed logins are configurable.

Filename: esa000039.esaa

 

Title: Multiple successful logins from a single user from multiple different sources to the same destination

Desc: Alert when log events contain multiple successful logins from a single user from multiple different sources to same destination in 3600 seconds. Both the time window and number of success logins are configurable.

 

Title: User added to admin group then syslog is disabled

Desc: User was added to groups listed and same user stops syslog/rsyslog service on Linux m/c. Rule relies on ec tags for Group modification. Linux m/c does not generate events for stopping syslog service but event is triggered for stopping kernel logging. This event is used to fire rule.

 

Title: Single source, Same IDS / IPS message type, different destination IP

Desc: Detects similar IDS/IPS events from same source and multiple destination ip. Count of unique destination and time are configurable.

 

Title: Privilege Escalation Detected for Unix devices

Desc: Detects 2 kinds of events: user escalates himself using su or administrator adds user to user defined list of groups

 

Title: SSH traffic detected from a single source to different destinations

Desc: Detects SSH traffic(service=22) coming from single source to multiple destination in given time. Number of destination, service and time are configurable.

 

Title: Multiple failed logins from multiple different users from same source to same destination

Desc: Alert when log events contain multiple failed logins from multiple different users from same source to same destination in 180 seconds. Both the time window and number of failed logins are configurable.

 

Title: Multiple successful logins from a single user from multiple different sources to multiple destinations

Desc: Alert when log events contain multiple successful logins from a single user from multiple different sources to multiple different destinations in 180 seconds. Both the time window and number of success logins are configurable.

 

Title: DNS Lookups From the Same Host

Desc: Detects 50 DNS lookups in 60 seconds from the same IP source. Both the time window and number of lookups are configurable.

 

Title: File Transfer Using Non Standard Port

Desc: File transferred using non-standard TCP destination port. Both the list of file extensions and standard TCP ports are configurable. The statement detects if the TCP destination port does not equal those that are standard as configured.

 

Title: User added to admin group then ssh is enabled

Desc: User was added to groups configured and same user starts syslog/rsyslog service on Linux m/c. Rule relies on Event Categorization Tags (ECT) for group modification. For this rule to work, infobloxnios should be disabled. The time window, service name and a list of administrator groups are configurable. This rule uses non-standard meta key of client so it must be made available to the Log Decoder and Concentrator by updating index-concentrator-custom.xml and/or table-map.xml.

 

Title: Non SMTP Traffic on TCP Port 25 Containing Executable

Desc: Monitors for non-SMTP traffic on TCP destination port 25 containing executable.Both the list of executable file extensions and TCP port for SMTP traffic are configurable.This rule assumes that the connection does not need to be successful at both the client and server and a single event matching the filter criteria should trigger the rule.

 

Title: HTTP Outbound Traffic to Multiple Destinations From Single Source

Desc: HTTP outbound traffic to 50 unique destination IPs from a single source IP within 60 seconds.Outbound traffic is defined as that which does not have a private reserved address.Source IP must be within the RFC 1918 specification.The time window,number of unique destination IPs and source IP whitelist are all configurable.All events are grouped by ip.src and 50 must occur within 60 seconds.

 

Title: Multi-Service connection attempts_Pckt

Desc: Multiple Connection Failures detected based on Packet data from the Same Source to multiple common service ports (destination ports - ex. TCP 21, 22, 23, 25, 80, 8080, 443) of Same Destination within time period of 5 minutes.Time window and List of destination ports to be monitored, Number of Connection Attempts is configurable.

 

Title: Root fail ESX server (x3) + Root success to ESX server + VMClone

Desc: Alert if there are Multiple (here,assumed as 3 Failures) Root Login Failures to ESX server followed by Root Login Success to ESX server followed by a VMClone event within 5 minutes.The time window is configurable.

 

Title: Non HTTP Traffic on TCP Port 80 Containing Executable

Desc: Monitors for non-HTTP traffic on TCP destination port 80 containing executable.Both the list of executable file extensions and TCP port for HTTP traffic are configurable.This rule assumes that the connection does not need to be successful at both the client and server and a single event matching the filter criteria should trigger the rule.

 

Title: Account Created and Deleted within an hour.

Desc: Account Created and Deleted within an hour.

 

 

Log Collector Content

 

 

Title: ActivIdentity AAA Server Log Collector Configuration

Desc: Log Collector configuration content for event source ActivIdentity AAA Server

 

Title: Alcatel-Lucent OmniSwitch Log Collector Configuration

Desc: Log Collector configuration content for event source Alcatel-Lucent OmniSwitch

 

Title: Apache Web Server Log Collector Configuration

Desc: Log Collector configuration content for event source Apache Web Server

 

Title: Apache Tomcat Log Collector Configuration

Desc: Log Collector configuration content for event source Apache Tomcat

 

Title: AppSec DbProtect Log Collector Configuration

Desc: Log Collector configuration content for event source AppSec DbProtect

 

Title: Avocent KVM Log Collector Configuration

Desc: Log Collector configuration content for event source Avocent KVM

 

Title: BigFix Log Collector Configuration

Desc: Log Collector configuration content for event source BigFix

 

Title: Bit9 Log Collector Configuration

Desc: Log Collector configuration content for event source Bit9

 

Title: RIM Blackberry Enterprise Server Log Collector Configuration

Desc: Log Collector configuration content for event source RIM Blackberry Enterprise Server

 

Title: BMC Remedy ITSM Log Collector Configuration

Desc: Log Collector configuration content for event source BMC Remedy ITSM

 

Title: CA Integrated Threat Management Log Collector Configuration

Desc: Log Collector configuration content for event source CA Integrated Threat Management

 

Title: EMC Celerra Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Celerra

 

Title: Check Point FW-1 Log Collector Configuration

Desc: Log Collector configuration content for event source Check Point FW-1

 

Title: Cisco Ironport ESA Log Collector Configuration

Desc: Log Collector configuration content for event source Cisco Ironport ESA

 

Title: Cisco Ironport WSA Log Collector Configuration

Desc: Log Collector configuration content for event source Cisco Ironport WSA

 

Title: Cisco LMS Log Collector Configuration

Desc: Log Collector configuration content for event source Cisco LMS

 

Title: Cisco MARS Log Collector Configuration

Desc: Log Collector configuration content for event source Cisco MARS

 

Title: CiscoWorks NCM Log Collector Configuration

Desc: Log Collector configuration content for event source CiscoWorks NCM

 

Title: Cisco Security Agent Log Collector Configuration

Desc: Log Collector configuration content for event source Cisco Security Agent

 

Title: Cisco WCS Log Collector Configuration

Desc: Log Collector configuration content for event source Cisco WCS

 

Title: CiscoWorks Common Services/Cisco Security Manager Log Collector Configuration

Desc: Log Collector configuration content for event source CiscoWorks Common Services/Cisco

 

Title: Citrix XenApp Log Collector Configuration

Desc: Log Collector configuration content for event source Citrix XenApp

 

Title: Courion Password Courier Log Collector Configuration

Desc: Log Collector configuration content for event source Courion Password Courier

 

Title: Dell DRAC Log Collector Configuration

Desc: Log Collector configuration content for event source Dell DRAC

 

Title: Dragon IDS Log Collector Configuration

Desc: Log Collector configuration content for event source Dragon IDS

 

Title: eEye Blink Log Collector Configuration

Desc: Log Collector configuration content for event source eEye Blink

 

Title: eEye Retina Log Collector Configuration

Desc: Log Collector configuration content for event source eEye Retina

 

Title: EMC Avamar Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Avamar

 

Title: EMC Documentum Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Documentum

 

Title: EMC Data Protection Advisor Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Data Protection Advisor

 

Title: EMC Ionix UIM Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Ionix UIM

 

Title: EMC Isilon Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Isilon

 

Title: EMC NetWorker Log Collector Configuration

Desc: Log Collector configuration content for event source EMC NetWorker

 

Title: EMC VPLEX Log Collector Configuration

Desc: Log Collector configuration content for event source EMC VPLEX

 

Title: Entercept Log Collector Configuration

Desc: Log Collector configuration content for event source Entercept

 

Title: McAfee ePolicy Orchestrator Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee ePolicy Orchestrator

 

Title: FairWarning Privacy Monitoring Log Collector Configuration

Desc: Log Collector configuration content for event source FairWarning Privacy Monitoring

 

Title: F-Secure Anti-Virus Log Collector Configuration

Desc: Log Collector configuration content for event source F-Secure Anti-Virus

 

Title: GE Centricity Enterprise Archive Log Collector Configuration

Desc: Log Collector configuration content for event source GE Centricity Enterprise Archive

 

Title: GE Centricity PACS IW Log Collector Configuration

Desc: Log Collector configuration content for event source GE Centricity PACS IW

 

Title: GIT-SCM Server Log Collector Configuration

Desc: Log Collector configuration content for event source GIT-SCM Server

 

Title: EMC Greenplum Database Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Greenplum Database

 

Title: EMC Greenplum Hadoop Distribution Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Greenplum Hadoop Distribution

 

Title: GlobalSCAPE EFT Server Log Collector Configuration

Desc: Log Collector configuration content for event source GlobalSCAPE EFT Server

 

Title: IBM DB2 UDB Log Collector Configuration

Desc: Log Collector configuration content for event source IBM DB2 UDB

 

Title: IBM Mainframe ICSF Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Mainframe ICSF

 

Title: IBM Mainframe (IDMS) Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Mainframe (IDMS)

 

Title: IBM Mainframe (IMS) Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Mainframe (IMS)

 

Title: IBM Mainframe IPSec Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Mainframe IPSec

 

Title: IBM Mainframe zOS System Log Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Mainframe zOS System Log

 

Title: IBM Mainframe (RACF) Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Mainframe (RACF)

 

Title: IBM Tivoli Access Manager ESSO Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Tivoli Access Manager ESSO

 

Title: IBM TAM WebSEAL Log Collector Configuration

Desc: Log Collector configuration content for event source IBM TAM WebSEAL

 

Title: IBM Tivoli Identity Manager Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Tivoli Identity Manager

 

Title: IBM WebSphere MQ Log Collector Configuration

Desc: Log Collector configuration content for event source IBM WebSphere MQ

 

Title: IntruShield Log Collector Configuration

Desc: Log Collector configuration content for event source IntruShield

 

Title: McAfee Email Gateway Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Email Gateway

 

Title: ISS Realsecure Log Collector Configuration

Desc: Log Collector configuration content for event source ISS Realsecure

 

Title: JBoss Application Server Log Collector Configuration

Desc: Log Collector configuration content for event source JBoss Application Server

 

Title: Steel-Belted Radius Log Collector Configuration

Desc: Log Collector configuration content for event source Steel-Belted Radius

 

Title: Kaspersky Anti-Virus Log Collector Configuration

Desc: Log Collector configuration content for event source Kaspersky Anti-Virus

 

Title: Kernel-based Virtual Machine Log Collector Configuration

Desc: Log Collector configuration content for event source Kernel-based Virtual Machine

 

Title: LANDesk Management Suite Log Collector Configuration

Desc: Log Collector configuration content for event source LANDesk Management Suite

 

Title: Lotus Domino Log Collector Configuration

Desc: Log Collector configuration content for event source Lotus Domino

 

Title: Lumension EMSS Log Collector Configuration

Desc: Log Collector configuration content for event source Lumension EMSS

 

Title: ManageEngine Netflow Analyzer Log Collector Configuration

Desc: Log Collector configuration content for event source ManageEngine Netflow Analyzer

 

Title: Mazu Profiler Log Collector Configuration

Desc: Log Collector configuration content for event source Mazu Profiler

 

Title: McAfee Host DLP Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Host DLP

 

Title: McAfee Endpoint Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Endpoint

 

Title: McAfee Vulnerability Manager Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Vulnerability Manager

 

Title: McAfee Integrity Control Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Integrity Control

 

Title: McAfee Network Access Control Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Network Access Control

 

Title: McAfee Policy Auditor Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Policy Auditor

 

Title: McAfee Reconnex Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Reconnex

 

Title: McAfee Virus Scan Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Virus Scan

 

Title: McKesson HPF Log Collector Configuration

Desc: Log Collector configuration content for event source McKesson HPF

 

Title: Microsoft IIS Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft IIS

 

Title: Microsoft Audit Collection Services Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft Audit Collection Services

 

Title: Microsoft DHCP Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft DHCP

 

Title: Microsoft Forefront Client Security Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft Forefront Client Security

 

Title: Microsoft Forefront UAG Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft Forefront UAG

 

Title: Microsoft Network Access Protection Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft Network Access Protection

 

Title: Microsoft SharePoint Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft SharePoint

 

Title: Windows Server Update Service Log Collector Configuration

Desc: Log Collector configuration content for event source Windows Server Update Service

 

Title: MySQL Log Collector Configuration

Desc: Log Collector configuration content for event source MySQL

 

Title: Netapp Log Collector Configuration

Desc: Log Collector configuration content for event source Netapp

 

Title: Rapid7 NeXpose Log Collector Configuration

Desc: Log Collector configuration content for event source Rapid7 NeXpose

 

Title: NFDump Log Collector Configuration

Desc: Log Collector configuration content for event source NFDump

 

Title: Novell eDirectory Log Collector Configuration

Desc: Log Collector configuration content for event source Novell eDirectory

 

Title: NetScreen-Security Manager Log Collector Configuration

Desc: Log Collector configuration content for event source NetScreen-Security Manager

 

Title: openvms Log Collector Configuration

Desc: Log Collector configuration content for event source openvms

 

Title: Oracle Log Collector Configuration

Desc: Log Collector configuration content for event source Oracle

 

Title: Oracle Audit Vault Log Collector Configuration

Desc: Log Collector configuration content for event source Oracle Audit Vault

 

Title: Oracle DB Vault Log Collector Configuration

Desc: Log Collector configuration content for event source Oracle DB Vault

 

Title: Oracle Internet Directory Log Collector Configuration

Desc: Log Collector configuration content for event source Oracle Internet Directory

 

Title: Oracle IM Log Collector Configuration

Desc: Log Collector configuration content for event source Oracle IM

 

Title: Oracle iPlanet Web Server Log Collector Configuration

Desc: Log Collector configuration content for event source Oracle iPlanet Web Server

 

Title: Oracle WebLogic Log Collector Configuration

Desc: Log Collector configuration content for event source Oracle WebLogic

 

Title: Perforce Log Collector Configuration

Desc: Log Collector configuration content for event source Perforce

 

Title: Radware DefensePro Log Collector Configuration

Desc: Log Collector configuration content for event source Radware DefensePro

 

Title: Riverbed Steelhead Log Collector Configuration

Desc: Log Collector configuration content for event source Riverbed Steelhead

 

Title: RSA Adaptive Auth (Hosted) Log Collector Configuration

Desc: Log Collector configuration content for event source RSA Adaptive Auth (Hosted)

 

Title: RSA Access Manager Log Collector Configuration

Desc: Log Collector configuration content for event source RSA Access Manager

 

Title: RSA ACE Server Log Collector Configuration

Desc: Log Collector configuration content for event source RSA ACE Server

 

Title: RSA Archer Log Collector Configuration

Desc: Log Collector configuration content for event source RSA Archer

 

Title: RSAAveksa Log Collector Configuration

Desc: Log Collector configuration content for event source RSAAveksa

 

Title: RSA Certificate Manager Log Collector Configuration

Desc: Log Collector configuration content for event source RSA Certificate Manager

 

Title: RSA Federated Identity Manager Log Collector Configuration

Desc: Log Collector configuration content for event source RSA Federated Identity Manager

 

Title: SAP ERP Central Component Log Collector Configuration

Desc: Log Collector configuration content for event source SAP ERP Central Component

 

Title: Secude Security Intelligence Log Collector Configuration

Desc: Log Collector configuration content for event source Secude Security Intelligence

 

Title: Solaris Basic Security Module Log Collector Configuration

Desc: Log Collector configuration content for event source Solaris Basic Security Module

 

Title: Sophos Enterprise Console Log Collector Configuration

Desc: Log Collector configuration content for event source Sophos Enterprise Console

 

Title: Sybase ASE Log Collector Configuration

Desc: Log Collector configuration content for event source Sybase ASE

 

Title: SYMANTECEP Log Collector Configuration

Desc: Log Collector configuration content for event source SYMANTECEP

 

Title: EMC Symmetrix Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Symmetrix

 

Title: Teradata Log Collector Configuration

Desc: Log Collector configuration content for event source Teradata

 

Title: Trend Micro Log Collector Configuration

Desc: Log Collector configuration content for event source Trend Micro

 

Title: Trend Micro IMSS Log Collector Configuration

Desc: Log Collector configuration content for event source Trend Micro IMSS

 

Title: Trend Micro IWSS Log Collector Configuration

Desc: Log Collector configuration content for event source Trend Micro IWSS

 

Title: Tripwire Enterprise Log Collector Configuration

Desc: Log Collector configuration content for event source Tripwire Enterprise

 

Title: Varonis DatAdvantage Probe Log Collector Configuration

Desc: Log Collector configuration content for event source Varonis DatAdvantage Probe

 

Title: VMware View Log Collector Configuration

Desc: Log Collector configuration content for event source VMware View

 

Title: EMC Voyence Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Voyence

 

Title: Websense Web Security Log Collector Configuration

Desc: Log Collector configuration content for event source Websense Web Security

 

Title: WhatsUp Gold Log Collector Configuration

Desc: Log Collector configuration content for event source WhatsUp Gold

 

Title: Microsoft Operations Manager Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft Operations Manager

 

Title: Microsoft Exchange Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft Exchange

 

Title: Microsoft SCCM Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft SCCM

 

Title: Microsoft SQL Server Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft SQL Server

 

Title: Microsoft Internet Security and Acceleration Server Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft Internet Security and Acceleration Server.

 

Title: Microdasys XML Security Gateway Log Collector Configuration

Desc: Log Collector configuration content for event source Microdasys XML Security Gateway.

 

Title: IBM WebSphere Log Collector Configuration

Desc: Log Collector configuration content for event source IBM WebSphere.

 

Title: Actiance Vantage Log Collector Configuration

Desc: Log Collector configuration content for event source Actiance Vantage

 

Title: CA Siteminder Log Collector Configuration

Desc: Log Collector configuration content for event source CA Siteminder

 

Title: Cisco Secure IDS XML Log Collector Configuration

Desc: Log Collector configuration content for event source Cisco Secure IDS XML.

 

Title: EMC Clariion/VNX Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Clariion/VNX

 

Title: SonicWALL GMS Log Collector Configuration

Desc: Log Collector configuration content for event source SonicWALL GMS

 

Title: Squid Log Collector Configuration

Desc: Log Collector configuration content for event source Squid

 

Title: SunOne LDAP Directory Server Log Collector Configuration

Desc: Log Collector configuration content for event source SunOne LDAP Directory Server

 

Title: Symantec Critical Systems Protection Log Collector Configuration

Desc: Log Collector configuration content for event source Symantec Critical Systems Protection

 

Title: Symantec Intruder Alert Log Collector Configuration

Desc: Log Collector configuration content for event source Symantec Intruder Alert

 

Title: McAfee Web Gateway Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Web Gateway

 

Title: Bluecoat ProxyAV Log Collector Configuration

Desc: Log Collector configuration content for event source Bluecoat ProxyAV

 

Title: Blue Coat ELFF Log Collector Configuration

Desc: Log Collector configuration content for event source Blue Coat ELFF

 

Title: Tenable Network Security Nessus Log Collector Configuration

Desc: Log Collector configuration content for event source Tenable Network Security Nessus

 

Title: Windows Events (NIC) Log Collector Configuration

Desc: Log Collector configuration content for event source Windows Events (NIC)

 

Title: Envision Content File

Desc: This file is used to update the content file for NWFL

 

 

 

 

 

Log Parsers


 

New Event Sources:

 

Fortinet FortiAnalyzer version 5.0

Cyberoam UTM version 10.04.3

Aventail SSL VPN (now called SonicWall E-Class SRA)

Cisco Wireless LAN Controller (2100 Series and 4400 Series)

 

Updated Event Sources:

Alcatel-Lucent OmniSwitch version 6600

Cisco Secure ACS version 5.4

McAfee Web Gateway version 7.3

Microsoft Exchange 2013

MySQL Enterprise version 5.6

Symantec DLP versions 11 and 12

Blue Coat Proxy AV version 3.5.1.1

Check Point Security Suite version R77 GAIA OS

Citrix XenApp version 6.5

Oracle WebLogic Server version 10.3.6

Palo Alto Panorama version 5.1.4

Sybase version 15 on Solaris 2.10



 

 

 

LUA Parsers

 

Title: VNC

Desc: Identifies the Remote Framebuffer protocol used by VNC and its derivatives.

 

Title: X11_lua

Desc: Identifies the X11 protocol (RFC 1013)

 

Title: HTTP_lua

Desc: Replicates and improves the functionality of the native and flex HTTP parsers.Performs HTTP header anamoly detection, and proxy client IP extraction.Parses ICAP (HTTP) requests.

 

Title: xor_executable_lua

Desc: Detects executables that have been xor or hex encoded.

 

Title: NFS_lua

Desc: Identifies and parses RPC-related protocols NFS,MOUNT, and PORTMAP.

 

Title: DNP3_lua

Desc: DNP3 Distributed Network Protocol (SCADA)

 

Title: ethernet_oui

Desc: Determines the manufacturer of eth.src and eth.dst addresses.

 

Title: Fingerprint_Private_Key

Desc: Detects SSH and PGP private key files.

 

Title: IMAP_lua

Desc: Identifies IMAP,registers commands,errors,usernames, and passwords.

 

Title: Lync

Desc: Identifies Microsoft Lync (formerly Microsoft Office Communicator, Windows Messenger).

 

Title: pwdump

Desc: Detects output from Windows password dumping tools such as pwdump.

 

Title: QQ_lua

Desc: Identifies QQ (OICQ protocol) sessions.  Extracts number QQ user id,and login,logout events.

 

Title: shadyrat_lua

Desc: Identifies potential artifacts related to shadyrat command and control traffic.

 

Title: socks_lua

Desc: Identifies Socks protocol version 4 and 5.

 

Title: SoulSeek_lua

Desc: Identifies the SoulSeek file sharing protocol

 

Title: spectrum_lua

Desc: Determines which sessions are sent to Spectrum for analysis,based upon file types seen in the session, and total session size.

 

Title: DNS_verbose_lua

Desc: Identifies DNS sessions.Registers query and response records including record type.Registers protocol error messages.Alerts for dns anamolies.

 

Title: htran_lua

Desc: Identifies the error message generated by the htran redirection tool.

 

Title: bittorrent_lua

Desc: Identifies the bittorrent protocol and registers the name of the file being downloaded.

 

Title: fingerprint_7zip

Desc: Detects 7zip archive files.

 

Title: Derusbi_Server_Handshake

Desc: Detects Derusbi server handshake.

 

Title: fingerprint_rtf_lua

Desc: Detects RTF files

 

Title: fingerprint_zip

Desc: Detects PK format zip files and extracts filenames contained in the archive.

 

Title: NTLMSSP_lua

Desc: Extracts Active Directory user information from NTLM HTTP headers.

 

Title: SMB_lua

Desc: Parses the Microsoft SMB-CIFS protocol versions 1 and 2.

 

Title: fingerprint_rar_lua

Desc: Detects RAR archive files.  Registers names of archived files if available

 

Title: Netwitness Lua Library

Desc: Commonly used parser functions in lua.This file itself is not a parser.

 

Title: fingerprint_javascript_lua

Desc: Detect javascript and suspicious javascript actions and anomolies.

 

Title: fingerprint_office_lua

Desc: Identifies Microsoft Office 95,2007 Word,Excel, and Powerpoint documents.

 

Title: iSCSI

Desc: Identifies SCSI-over-IP.

 

Title: MAIL_lua

Desc: Replicates in lua the functionality of the native and flex MAIL parsers.Extracts from email messages values such as -from;to; and subject.

 

Title: creditcard_detection_lua

Desc: Attempts to detect possible credit card numbers and validate with Luhns Algorithm.Intended as a replacement for the credit card detection in search.ini

 

Title: phishing_lua

Desc: Registers the host portion from each URL found within an email.

 

 

FLEX Parsers

 

Title: Derusbi_Variant_Beacon

Desc: Detects Derusbi Variant Beacons

 

Title: DNS - Verbose

Desc: Identifies DNS sessions. Registers queries and responses including record types. Registers protocol errors.  Detects and registers anomalies.

 

YARA Rules

 

Title: RSA Malware PE Packers

Desc: Yara IOCs which statically analyze Windows PE files to identify Common Packers

 

Title: RSA Malware PDF Artifacts

Desc: Yara IOCs which statically analyze PDF file artifacts for signs of malware

 

Title: RSA Malware PE Artifacts

Desc: Yara IOCs which statically analyze Windows PE file artifacts for signs of malware

 

Reports

 

Title: Accounts Created SAW

Desc: SAW Compliance Report Template - Accounts Created SAW

 

Title: Accounts Deleted SAW

Desc: SAW Compliance Report Template - Accounts Deleted SAW

 

Title: Accounts Disabled SAW

Desc: SAW Compliance Report Template - Accounts Disabled SAW

 

Title: Accounts Modified SAW

Desc: SAW Compliance Report Template - Accounts Modified SAW

 

Title: Anti-Virus Signature Updates SAW

Desc: SAW Compliance Report Template - Anti-Virus Signature Updates SAW

 

Title: Change in Audit Settings SAW

Desc: SAW Compliance Report Template - Change in Audit Settings SAW

 

Title: Encryption Failures SAW

Desc: SAW Compliance Report Template - Encryption Failures SAW

 

Title: Encryption Key Generation and Changes SAW

Desc: SAW Compliance Report Template - Encryption Key Generation and Changes SAW

 

Title: Failed Escalation of Privileges Details SAW

Desc: SAW Compliance Report Template - Failed Escalation of Privileges Details SAW

 

Title: Failed Escalation of Privileges Summary SAW

Desc: SAW Compliance Report Template - Failed Escalation of Privileges Summary SAW

 

Title: Failed Remote Access Details SAW

Desc: SAW Compliance Report Template - Failed Remote Access Details SAW

 

Title: Failed Remote Access Summary SAW

Desc: SAW Compliance Report Template - Failed Remote Access Summary SAW

 

Title: Firewall Configuration Changes SAW

Desc: SAW Compliance Report Template - Firewall Configuration Changes SAW

 

Title: Firmware Changes on Wireless Devices SAW

Desc: SAW Compliance Report Template - Firmware Changes on Wireless Devices SAW

 

Title: Inbound Network Traffic SAW

Desc: SAW Compliance Report Template - Inbound Network Traffic SAW

 

Title: Logon Failures Summary SAW

Desc: SAW Compliance Report Template - Logon Failures Summary SAW

 

Title: Logon Failure Details SAW

Desc: SAW Compliance Report Template - Logon Failure Details SAW

 

Title: Outbound Network Traffic SAW

Desc: SAW Compliance Report Template - Outbound Network Traffic SAW

 

Title: Password Changes Details SAW

Desc: SAW Compliance Report Template - Password Changes Details SAW

 

Title: Password Changes Summary SAW

Desc: SAW Compliance Report Template - Password Changes Summary SAW

 

Title: Router Configuration Changes SAW

Desc: SAW Compliance Report Template - Router Configuration Changes SAW

 

Title: Successful Escalation of Privileges Details SAW

Desc: SAW Compliance Report Template - Successful Escalation of Privileges Details SAW

 

Title: Successful Escalation of Privileges Summary SAW

Desc: SAW Compliance Report Template - Successful Escalation of Privileges Summary SAW

 

Title: Successful Remote Access Details SAW

Desc: SAW Compliance Report Template - Successful Remote Access Details SAW

 

Title: Successful Remote Access Summary SAW

Desc: SAW Compliance Report Template - Successful Remote Access Summary SAW

 

Title: Successful Use of Encryption SAW

Desc: SAW Compliance Report Template - Successful Use of Encryption SAW

 

Title: System Clock Synchronization SAW

Desc: SAW Compliance Report Template - System Clock Synchronization SAW

 

Title: User Access Revoked SAW

Desc: SAW Compliance Report Template - User Access Revoked SAW

 

Title: User Session Terminated Summary SAW

Desc: SAW Compliance Report Template - User Session Terminated Summary SAW

 

Report Engine Rules

 

Title: Accounts Created SAW

Desc: SAW Compliance Rule - Accounts Created SAW

 

Title: Accounts Deleted SAW

Desc: SAW Compliance Rule - Accounts Deleted SAW

 

Title: Accounts Disabled SAW

Desc: SAW Compliance Rule - Accounts Disabled SAW

 

Title: Accounts Modified SAW

Desc: SAW Compliance Rule - Accounts Modified SAW

 

Title: Anti-virus Signature Update SAW

Desc: SAW Compliance Rule - Anti-virus Signature Update SAW

 

Title: Change in Audit Settings SAW

Desc: SAW Compliance Rule - Change in Audit Settings SAW

 

Title: Encryption Failures SAW

Desc: SAW Compliance Rule - Encryption Failures SAW

 

Title: Encryption Key Generation and Changes SAW

Desc: SAW Compliance Rule - Encryption Key Generation and Changes SAW

 

Title: Failed Escalation of Privileges Details SAW

Desc: SAW Compliance Rule - Failed Escalation of Privileges Details SAW

 

Title: Failed Escalation of Privileges Summary SAW

Desc: SAW Compliance Rule - Failed Escalation of Privileges Summary SAW

 

Title: Failed Remote Access Details SAW

Desc: SAW Compliance Rule - Failed Remote Access Details SAW

 

Title: Failed Remote Access Summary SAW

Desc: SAW Compliance Rule - Failed Remote Access Summary SAW

 

Title: Firewall Configuration Changes SAW

Desc: SAW Compliance Rule - Firewall Configuration Changes SAW

 

Title: Firmware Changes on Wireless Devices SAW

Desc: SAW Compliance Rule - Firmware Changes on Wireless Devices SAW

 

Title: Inbound Network Traffic SAW

Desc: SAW Compliance Rule - Inbound Network Traffic SAW

 

Title: Logon Failures Summary SAW

Desc: SAW Compliance Rule - Logon Failures Summary SAW

 

Title: Logon Failures Details SAW

Desc: SAW Compliance Rule - Logon Failures Details SAW

 

Title: Outbound Network Traffic SAW

Desc: SAW Compliance Rule - Outbound Network Traffic SAW

 

Title: Password Changes Details SAW

Desc: SAW Compliance Rule - Password Changes Details SAW

 

Title: Password Changes Summary SAW

Desc: SAW Compliance Rule - Password Changes Summary SAW

 

Title: Router Configuration Changes SAW

Desc: SAW Compliance Rule - Router Configuration Changes SAW

 

Title: Successful Escalation of Privileges Details SAW

Desc: SAW Compliance Rule - Successful Escalation of Privileges Details SAW

 

Title: Successful Escalation of Privileges Summary SAW

Desc: SAW Compliance Rule - Successful Escalation of Privileges Summary SAW

 

Title: Successful Remote Access Details SAW

Desc: SAW Compliance Rule - Successful Remote Access Details SAW

 

Title: Successful Remote Access Summary SAW

Desc: SAW Compliance Rule - Successful Remote Access Summary SAW

 

Title: Successful Use of Encryption SAW

Desc: SAW Compliance Rule - Successful Use of Encryption SAW

 

Title: System Clock Synchronization SAW

Desc: SAW Compliance Rule - System Clock Synchronization SAW

 

Title: User Access Revoked SAW

Desc: SAW Compliance Rule - User Access Revoked SAW

 

Title: User Session Terminated Summary SAW

Desc: SAW Compliance Rule - User Session Terminated Summary SAW

Some malware are just too noisy to be missed. Going through its set of daily reports on RSA Security Analytics, RSA FirstWatch found an anomaly that easily stood out in the rarest UA Strings report. We have blogged before about this report and how it can help you to detect malicious and suspicious User-Agent strings in your environment*

 

As you can see below, our records indicate an above the average activity for different UA strings for a daily report.

 

77910

 

That made us curious to see what’s the story behind these UA strings; so we started investigating them one by one and it wasn’t hard to conclude that the malware was running a DDoS attack on a Russian domain alternating between different UA strings in its HTTP Get requests. Here is a screenshot from Security Analytics Investigator:

 

77911

 

In addition, the sample has used a high number of unique referrals that look to be dynamically generated

 

77912

 

As of this writing, VirusTotal has a good detection rate for this sample.

 

This is an example on how powerful Security Analytics reports are and how they could be a great help in your investigation.

Filter Blog

By date: By tag: