I need a real quick help.
Long time I observed one domain “Ib.adnxs(.)com”, this seems it does redirection to multiple malicious malware related domains. I wanted to get information on all redirection domain happened through it.
Drilled with host alias there were lot many hits found. Can anyone please help me, what kind of informer report or custom drill will give me redirection domain information?
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
Remember, I'm talking about things from my perspective in a pure malware environment. Google.com referer strings are hard coded in tons of botnet get requests. Of course not all google.com referers are going to be malware, but just keep it in mind when you are hunting for it.
Im sure every enterprise has a few adware infections given that the number one online fraud today is click fraud. The ones with the most referers and the most visits to ad sites are likely the ones infected by these ad-clicking bots. Either that or they are spending all day surfing the net and not working- both instances warrant investigation.
Reaching to host level in my clients place is very difficult. After long time I did get access to 3 different hosts from which hits were found to this domain. Checked startup, processes, registry, prefetch and few other things, did not get any similarity between hosts which is causing this issue. Found CLARO search and SEARCH CONDUCT like bed reputation toolbars. Did not able get anything specific file.
I had discussion with my client management; they wanted to stop this from host level and contacted their AV vendor Symantec. I provided them all PCAPs and analysis on the domain, now they come up saying the site itself is legit one and no infections found from the machines which I and my client won’t agree on it because the site itself is having very poor reputation score and from PCAP data it’s not at all looking legit.
Traffic is being redirected to a legitimate advertisement website via a toolbar which is installed voluntarily after agreeing to its terms and conditions. While few tools might consider that toolbar as a threat, Symantec does not. However, we give customers the flexibility for the customer to configure the product to comply with their own security policy.
Could you please help me out on this, most of them are ad-ware and advertisement domains which it redirects.
Symantec couldn't find anything malicious?? Color me shocked.
The fact that you found malicious toolbars means you found the culprit. Here is a post on how to remove the CLARO search virus:
And as far as the end user agreeing to accept the installation, that's not likely true either. Most of the clickware fraud we see in a sandbox gets installed without user intervention using signed certs from Microsoft and Verisign. I'd say you did a great job finding high redirect hosts and have identified at least a couple of malicious toolbars that causes the redirection.
This does say something about the endpoints- they are likely insecure with older java clients, unpatched browsers, or outdated versions of Adobe reader. The simplest disinfectant would be reimage the machines- manual disinfection could be tedious and will not patch the underlying weaknesses. If the client customer doesn't think this is a threat, let him know that he is making malware authors rich by allowing referral cash to flow freely to them.
Thanks for understanding my concern.
Here the incident management is not that much actively developed and on average there were 8000 hits per day. There would be chances of getting 500 machines which is trying to reach the domain. On this case if I recommend re-image that won’t work effectively. And this annoying domain is not giving any specific file which I can remove from every host.
On this critical situation what should I suggest kindly advise me.
Either firewall or proxy-block the ad sites. Also, look for any referers that contain buscaid and okaysearch. I'm seeing those referals as primary drivers of adware.