ahsonbol

Recognizing DDoS webflood malware using Security Analytics

Blog Post created by ahsonbol on Feb 4, 2014

Some malware are just too noisy to be missed. Going through its set of daily reports on RSA Security Analytics, RSA FirstWatch found an anomaly that easily stood out in the rarest UA Strings report. We have blogged before about this report and how it can help you to detect malicious and suspicious User-Agent strings in your environment*

 

As you can see below, our records indicate an above the average activity for different UA strings for a daily report.

 

77910

 

That made us curious to see what’s the story behind these UA strings; so we started investigating them one by one and it wasn’t hard to conclude that the malware was running a DDoS attack on a Russian domain alternating between different UA strings in its HTTP Get requests. Here is a screenshot from Security Analytics Investigator:

 

77911

 

In addition, the sample has used a high number of unique referrals that look to be dynamically generated

 

77912

 

As of this writing, VirusTotal has a good detection rate for this sample.

 

This is an example on how powerful Security Analytics reports are and how they could be a great help in your investigation.

Outcomes