Hi,
I need a real quick help.
Long time I observed one domain “Ib.adnxs(.)com”, this seems it does redirection to multiple malicious malware related domains. I wanted to get information on all redirection domain happened through it.
Drilled with host alias there were lot many hits found. Can anyone please help me, what kind of informer report or custom drill will give me redirection domain information?
Couple of ideas:
I tend to apply the last method. tshark + regular expressions can be very powerful and with the REST-API you can very easily automate the process.
Thanks for the information.
This site is not referring any domains while accessing it is redirecting to other malicious sites. Below is the screenshot
There were 40K hits for last 24 hr, It is not practically possible to get it from tshark.
Could please share the parser what you have mentioned on the redirection. That would help me a lot. Thanks again for your time.
In your example, the "erectile-dysfunction"-site seems to embed ads from ib.adnxs.com (potentially malicious). So you are looking for sites that lead to ib.adnxs(.)com, not the other way round?
The informer query:
referer where alias.host = ib.adnxs.com
should give you a list of domains like "erectile-dysfunction".
Thanks a lot for the information.
There were lot many source hosts not able to get the infected file which is trying to reach all these domains.
I got above 800 referer domains. Wanna try more to find the infection. Thank you
Yeah, you definitely have an adware infection. If your ultimate goal is to find out who likely has popup infections like this, one idea is to make an informer report to look for the top 25 source ips where referrer exists. That will give you a listing of the internal hosts that are being redirected the most. This will catch hosts that aren't going to ib.addnx.com.
And if the files aren't being found, make an informer report looking for the top 25 internal hosts that receive a 40x error. That rule is ip.src where org.dst exists && error begins '40'
Also take a look at user-agent strings with each of these. That would be as simple as putting in the then statement:
lookup_and_add('client','ip.src',3);
If you need any other ideas, let us know.
I have a sandbox running all kinds of malware and adware infected hosts. Here is an example of the output from one of my reports.
Note how one of the top referers are google.com? That's a sure sign that the referer is faked. A true referer would include the search string in the referer field. Note that my top 25 are ALL Malware driven. My rule for this is:
Thank you Fielder for your support.
I ran the reprot ip.src where org.dst exists && error begins '40' with then statement. I got the result but I did not see anything malicious on the result. I am not sure about error 40x. Could you please help me to understand on what parameter I have to look into it to confirm infection.
On your second post, I too created the same report and got results. How can be all 25 are Malware driven. What next I have investigate, on this kind of case does Antivirus scan will help? It is something I saw new like on the report output I can make sure the machine is 100% infected. Please explain so that I can put these as e-mail alert.
Thanks a again for you knowledge sharing.
Why do you think you have an infection in the first place? I get even more than 40k hits per day. Adnxs is a very common tracking/advertisement site.
Also, "referer = http://www.google.com" is very common and not a sign for malware. If I do a google search for Netwitness and click on a link, the header looks like this
GET /the-new-netwitness-community-is-live/ HTTP/1.1
Host: blogs.rsa.com
(...)
Referer: https://www.google.com/
or like this
GET /url?sa=t&rct=j&q=netwitness&source=web&cd=1&sqi=2&ved=0CC0QFjAA&url=http%3A%2F%2Fwww.emc.com%2Fsecurity%2Frsa-netwitness.htm&ei=ZsmAUYPEOMaVtQaD94CYAw&usg=AFQjCNGrZH7fRfQYlFAZrQ52fwyq_h8rFQ&bvm=bv.45921128,d.ZWU HTTP/1.1
Referer: http://www.google.com/
Johannes,
Remember, I'm talking about things from my perspective in a pure malware environment. Google.com referer strings are hard coded in tons of botnet get requests. Of course not all google.com referers are going to be malware, but just keep it in mind when you are hunting for it.
Im sure every enterprise has a few adware infections given that the number one online fraud today is click fraud. The ones with the most referers and the most visits to ad sites are likely the ones infected by these ad-clicking bots. Either that or they are spending all day surfing the net and not working- both instances warrant investigation.
Anil, what were the file names being requested with the 40x error? If they are requests for exes, those might be attempts to download secondary packages to machines that are already infected.
I am not saying that the top referring hosts are all malware driven. But if you are looking for adware infected hosts, these are the first ones to examine. It takes time to figure out what is going on. One way to check is to see if those urls in the get requests are present in urlquery.net
Reaching to host level in my clients place is very difficult. After long time I did get access to 3 different hosts from which hits were found to this domain. Checked startup, processes, registry, prefetch and few other things, did not get any similarity between hosts which is causing this issue. Found CLARO search and SEARCH CONDUCT like bed reputation toolbars. Did not able get anything specific file.
I had discussion with my client management; they wanted to stop this from host level and contacted their AV vendor Symantec. I provided them all PCAPs and analysis on the domain, now they come up saying the site itself is legit one and no infections found from the machines which I and my client won’t agree on it because the site itself is having very poor reputation score and from PCAP data it’s not at all looking legit.
Symantec Conclusion:
Traffic is being redirected to a legitimate advertisement website via a toolbar which is installed voluntarily after agreeing to its terms and conditions. While few tools might consider that toolbar as a threat, Symantec does not. However, we give customers the flexibility for the customer to configure the product to comply with their own security policy.
Could you please help me out on this, most of them are ad-ware and advertisement domains which it redirects.
Symantec couldn't find anything malicious?? Color me shocked.
The fact that you found malicious toolbars means you found the culprit. Here is a post on how to remove the CLARO search virus:
And as far as the end user agreeing to accept the installation, that's not likely true either. Most of the clickware fraud we see in a sandbox gets installed without user intervention using signed certs from Microsoft and Verisign. I'd say you did a great job finding high redirect hosts and have identified at least a couple of malicious toolbars that causes the redirection.
This does say something about the endpoints- they are likely insecure with older java clients, unpatched browsers, or outdated versions of Adobe reader. The simplest disinfectant would be reimage the machines- manual disinfection could be tedious and will not patch the underlying weaknesses. If the client customer doesn't think this is a threat, let him know that he is making malware authors rich by allowing referral cash to flow freely to them.
Thanks for understanding my concern.
Here the incident management is not that much actively developed and on average there were 8000 hits per day. There would be chances of getting 500 machines which is trying to reach the domain. On this case if I recommend re-image that won’t work effectively. And this annoying domain is not giving any specific file which I can remove from every host.
On this critical situation what should I suggest kindly advise me.
Either firewall or proxy-block the ad sites. Also, look for any referers that contain buscaid and okaysearch. I'm seeing those referals as primary drivers of adware.
Couple of ideas:
I tend to apply the last method. tshark + regular expressions can be very powerful and with the REST-API you can very easily automate the process.