Category: Product Updates

Real Time Host Discovery

As you may have noticed we gather quite a bit of information about the hosts running on your network such as OS type, DNS, HTTP agents, DNS, etc. This information is available on the assets report or as a mouse-over when you hover any of the hosts in the HOME_NET. Unfortunately, some of this host information changes very rapidly and it is hard to correlate with specific events. For example a single host may be using many agents or a proxy may show many OS types. Also DHCP information will show that the same IP may have multiple MAC addresses.

For this reason we added the latest host information to the BotHunter, Tracker and Network Antivirus reports to tell you what specific host information was available precisely at the time of the incident. We are still looking for other improvements, if you have any suggestions, please do not hesitate to send us email at support@metaflows.com.

New Adaptive IPS

The MetaFlows research team has put together a new feature for customers that are interested in using our IPS system, but desire a more automated approach to determining which events to block.

One of the major benefits of the MetaFlows system is our ability to anonymously correlate event data across all customer domains, giving us a very powerful tool for finding the worst threats, eliminating false positives, and elevating the priority of certain events that are discovered. We are now able to use this global knowledge base to effectively rank the priority of the IDS signatures that are currently deployed for all of our sensors and provide an option to automatically block any events that match a particular priority level.

This priority list is dynamic; it updates continuously to keep up with the changing landscape of threats that are discovered. This allows our system to adapt quickly, adding or changing the priority for new rule releases (our IDS rules update on a 24 hour cycle), rule changes, re-emerging malware, and dropping rules off quickly that are potential false positives.

Not all of the rules in the set are part of this list, only the ones that we have real evidence for having a reputation of being true positive hits will be added. We are able to isolate these rules by matching up events across domains which have already been seen as trigger events in our behavioral correlation system. In effect, the rules on the priority list have been correlated twice, first at the session level within customer domains where the individual sensor flags them as high risk alerts, and then again at the global level to produce a list that can be used for IPS with the highest confidence.

The priority list is further broken down into five categories. The first category, highest priority, contains only the worst of the worst threats, and will offer protection against the major bot and malware infections that we are seeing globally in near real time.

Menu_092

As the categories increase in rank, the threats they stop decrease in severity so that by category 5 most of the rules are related to adware or riskware infections. The user has the freedom to decide which priority level they would like to use for automating the IPS, and they can change this level at any time. It is also important to note that the user can still create their own IPS rules, which these categories supplement, or if they wish to enable or disable any of the priority rules they are free to do so. Our system, as always, aims to be as flexible and adaptable to the user’s needs as possible.

You can enable the IPS rules by choosing your Threat Level from the sensor configuration, saving the rules and restarting the sensor.

If you have the box Block Communications in Passive Mode checked, the rules will actually start protecting your network right away and self-update daily.

If you do not have Block Communications in Passive Mode enabled, you can still enable the IPS rules and see what they would have blocked by looking for the blocking reports called mssBlock. You can enter mssBlock in the search bar to see the last day’s block reports for example.

Here is an example of the current sid_priority.map:

2018098,"ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon",1
2013352,"ET TROJAN Executable Download Purporting to be JavaScript likely 2nd stage Infection",1
2405032,"ET DROP Known Bot C&C Traffic TCP group 17 - BLOCKING SOURCE",1
2803267,"ETPRO TROJAN Win32.Pasta.IK Checkin",1
2808594,"ETPRO MALWARE PUA.Plush Checkin",1
2013181,"ET CURRENT_EVENTS Ponmocup Redirection from infected Website to Trojan-Downloader",1
2806783,"ETPRO TROJAN Win32.Xtrat.A CnC & Exe Source",1
2806847,"ETPRO TROJAN WIN32/KOVTER.B Checkin",1
2808522,"ETPRO MALWARE Win32/Wysotot.G Checkin",1
2807086,"ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Obad.a Checkin 2",1
2018331,"ET TROJAN W32/SpeedingUpMyPC.Rootkit Install CnC Beacon",1
2807621,"ETPRO TROJAN Zegost.Gen CnC OUTBOUND",1
2017838,"ET TROJAN HTTP Connection To Known Sinkhole Domain sinkdns.org",1
2807317,"ETPRO MALWARE Goobzo Checkin",1
2405038,"ET DROP Known Bot C&C Traffic TCP group 20 - BLOCKING SOURCE",1
2806258,"ETPRO TROJAN Backdoor/Winnti.l CnC traffic",1
2806210,"ETPRO MOBILE_MALWARE AndroidOS/Gappusin.A Checkin",1
2017287,"ET TROJAN ATTACKER IRCBot - ipconfig - PRIVMSG Command ",1
2808058,"ETPRO MALWARE Win32/DownWare.L Checkin",1
2017934,"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic OUTBOUND 11",1
2808475,"ETPRO TROJAN Win32/Reveton.gen!C Checkin",1
2018324,"ET MALWARE SoundCloud Downloader Install Beacon",1
2805902,"ETPRO MOBILE_MALWARE Android/Coogos.A!tr Checkin",1
2008365,"ET TROJAN Playtech Downloader Online Gaming Checkin",1
2808586,"ETPRO MALWARE PUP Win32/WuJi.A Checkin",1
2806019,"ETPRO TROJAN Win32/Zeprox.B / Trojan-Ransom.Win32.PornoAsset.btgg Checkin",1
2009212,"ET TROJAN Zbot/Zeus Dropper Infection - /check",1
2808021,"ETPRO MALWARE Win32/AnyProtect.B Checkin",1
2018753,"ET MALWARE W32/SearchSuite Install CnC Beacon",1
2807328,"ETPRO MALWARE InstallBrain checkin",1
2018899,"ET MALWARE Win32/BrowseFox.H Checkin 2",1
2016223,"ET TROJAN Andromeda Checkin",1
2018415,"ET TROJAN W32/Tepfer.InfoStealer CnC Beacon",1
2019145,"ET MALWARE W32/Stan Malvertising.Dropper CnC Beacon",1
2806802,"ETPRO TROJAN Rodecap CnC response 3",1
2806924,"ETPRO TROJAN Muldrop Checkin",1
2806661,"ETPRO CHAT IRC USER Off-port Likely bot with 0 0 colon checkin",1
2808071,"ETPRO MALWARE Win32/AnyProtect.B Checkin 2",1
2807958,"ETPRO MALWARE InstallBrain Checkin",1
2804616,"ETPRO TROJAN PWS.Win32/Prast!rts Checkin",1
2016328,"ET TROJAN ZeuS Post to C&C footer.php",1
2806728,"ETPRO MALWARE Riskware/DomaIQ.C!tr Checkin 2",1
2808484,"ETPRO MALWARE PUP Win32/OptimizerElite Checkin",1
2019156,"ET MALWARE W32/Kyle Malvertising.Dropper CnC Beacon",1
2018742,"ET MALWARE OptimizerPro Checkin",1
2018867,"ET TROJAN Win32.Sality.3 checkin",1
2805574,"ETPRO TROJAN Win32/TrojanDownloader.Agent.RGT Checkin",1
2018332,"ET TROJAN W32/SpeedingUpMyPC.Rootkit CnC Beacon",1
2013703,"ET CURRENT_EVENTS Suspicious Self Signed SSL Certificate to %27My Company Ltd%27 could be SSL C&C",1
2011588,"ET TROJAN Zeus Bot Request to CnC",1
2018617,"ET MALWARE Downloader.NSIS.OutBrowse.b Checkin",1
2014215,"ET MOBILE_MALWARE Android/Plankton.P Commands Request to CnC Server",1
2016803,"ET TROJAN Known Sinkhole Response Header",1
2808463,"ETPRO TROJAN Win32/Viknok.D Checkin 1",1
2018610,"ET TROJAN Likely CryptoWall .onion Proxy domain in SNI",2
2804625,"ETPRO TROJAN Trojan/Win32.Vaklik.gen Checkin",2
2807970,"ETPRO TROJAN Win32/Neurevt.A Checkin 3",2
2017715,"ET CURRENT_EVENTS Possible Angler EK SilverLight Exploit",2
2808226,"ETPRO TROJAN Trojan/Win32.Zbot Covert Channel port 53",2
2017782,"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendSMS",2
2806934,"ETPRO TROJAN Worm.Win32/Mimail.E@mm CnC ICMP",2
2808434,"ETPRO MALWARE Win32/SoftPulse.H Checkin",2
2807400,"ETPRO MALWARE AutoIt EXE or DLL Windows file download",2
2015708,"ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript",2
2018302,"ET CURRENT_EVENTS PHISH Generic - Landing Page - HTTrack comment and form",2
2807216,"ETPRO TROJAN Orbit downloader checkin 3",2
2804419,"ETPRO MALWARE Riskware.Win32.SoftonicDownloader.AMN!A2 Install",2
2013170,"ET POLICY HTTP Request to a *.cu.cc domain",2
2808501,"ETPRO MALWARE PUP Win32/Amonetize.AV Checkin",2
2017779,"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access makeCall",2
2017780,"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access postToSocial",2
2014002,"ET TROJAN Fake Variation of Mozilla 4.0 - Likely Trojan",2
2014571,"ET CURRENT_EVENTS HTTP Request to a a known malware domain sektori.org",2
2808185,"ETPRO MALWARE Win32/BrowseFox.H Checkin",2
2016379,"ET CURRENT_EVENTS DRIVEBY Generic - JAR Containing Windows Executable",2
2805352,"ETPRO TROJAN POST to a mp3 file",2
2808621,"ETPRO MALWARE PUP/Win32.IBryte Checkin via HTTP",2
2018117,"ET TROJAN Possible Sinkhole banner",2
2018198,"ET TROJAN Win32/Kryptik.BSYO Checkin 2",2
2808634,"ETPRO TROJAN MSIL/Injector.P Checkin",2
2013332,"ET TROJAN FakeAV Landing Page",2
2016354,"ET CURRENT_EVENTS WSO WebShell Activity POST structure 2",2
2017895,"ET TROJAN Kuluoz/Asprox Activity",2
2807488,"ETPRO MALWARE Win32.Kraddare.FZ Update",2
2018581,"ET TROJAN Single char EXE direct download likely trojan multiple families",2
2016897,"ET TROJAN Possible Win32/Gapz MSIE 9 on Windows NT 5",2
2807561,"ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53",2
2018661,"ET TROJAN Win32/Zemot Config Download",2
2012198,"ET TROJAN Possible Worm W32.Svich or Other Infection Request for setting.ini",2
2807194,"ETPRO TROJAN PWS-Zbot-FANF Checkin",2
2807972,"ETPRO TROJAN Win32/FlyStudio Activity",2
2018006,"ET CURRENT_EVENTS Possible Browlock Hostname Format US",2
2015906,"ET CURRENT_EVENTS WSO - WebShell Activity - POST structure",2
2018697,"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected KINS C2",2
2014846,"ET CURRENT_EVENTS WordPress timthumb look-alike domain list RFI",2
2012753,"ET MALWARE Possible FakeAV Binary Download",2
2017781,"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendMail",2
2018232,"ET CURRENT_EVENTS Possible ZyXELs ZynOS Configuration Download Attempt Contains Passwords",2
2018934,"ET CURRENT_EVENTS DRIVEBY Archie.EK IE CVE-2013-2551 Payload Struct",2
2018784,"ET TROJAN Win32/Neurevt Check-in 4",2
2807403,"ETPRO MALWARE Win32.InstallMonetizer Download",2
2018452,"ET TROJAN CryptoWall Check-in",2
2014917,"ET CURRENT_EVENTS RedKit - Landing Page Received - applet and flowbit",2
2013036,"ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby",2
2018998,"ET CURRENT_EVENTS Archie EK Landing Aug 24 2014",2
2013962,"ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client",2
2017994,"ET CURRENT_EVENTS VBSAutorun_VBS_Jenxcus Check-in UA",2
2018052,"ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin",2
2017259,"ET TROJAN Generic - POST To .php w/Extended ASCII Characters",2
2808289,"ETPRO TROJAN Win32/Necurs Common POST Header Structure",2
2016427,"ET CURRENT_EVENTS CoolEK Possible Java Payload Download",2
2015698,"ET CURRENT_EVENTS SPL Landing Page Requested",2
2804972,"ETPRO TROJAN Herpbot.B ICMP",2
2017899,"ET CURRENT_EVENTS Possible PDF Dictionary Entry with Hex/Ascii replacement",2
2015780,"ET CURRENT_EVENTS Zbot UA",2
2016839,"ET CURRENT_EVENTS FlimKit hex.zip Java Downloading Jar",2
2017516,"ET TROJAN Worm.VBS.ayr Checkin 1",2
2804449,"ETPRO MALWARE Win32/DownloadAdmin.A.Gen Install",2
2018589,"ET CURRENT_EVENTS Possible ASPROX Download URI Struct June 19 2014",2
2010905,"ET MALWARE Fake Mozilla UA Outbound Mozilla/0.xx",2
2018403,"ET TROJAN GENERIC Zbot Based Loader",2
2012392,"ET TROJAN Suspicious Download Setup_ exe",2
2013535,"ET INFO HTTP Request to a *.tc domain",2
2018752,"ET TROJAN Generic .bin download from Dotted Quad",2
2019072,"ET CURRENT_EVENTS RIG EK Landing URI Struct",2
2018383,"ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port Outbound from Client",2
2807061,"ETPRO TROJAN Win32/Rbot SSL checkin 1",2
2019078,"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Aug 27 2014",2
2015905,"ET CURRENT_EVENTS WSO - WebShell Activity - WSO Title",2
2018005,"ET TROJAN Possible Upatre Downloader SSL certificate fake org",2
2807955,"ETPRO TROJAN Win32/Injector.Autoit.ZZ",2
2015743,"ET INFO Revoked Adobe Code Signing Certificate Seen",2
2013827,"ET TROJAN AntiVirus exe Download Likely FakeAV Install",2
2805748,"ETPRO TROJAN TROJ_GEN.F47V1018 Checkin",2
2808578,"ETPRO TROJAN Win32/PSW.Papras.CK Checkin",2
2013311,"ET POLICY HTTP Request to a *.dlinkddns.com domain",2
2017777,"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access takeCameraPicture",2
2808727,"ETPRO MALWARE Win32.Dapato Checkin",2
2014543,"ET CURRENT_EVENTS TDS Sutra - request in.cgi",2
2013497,"ET TROJAN MS Terminal Server User A Login, possible Morto inbound",3
2012816,"ET TROJAN EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing",3
2012312,"ET TROJAN Generic Trojan with /? and Indy Library User-Agent",3
2009909,"ET TROJAN Possible Windows executable sent when remote host claims to send HTML/CSS Content",3
2018788,"ET TROJAN Possible CryptoWall encrypted download",3
2018364,"ET CURRENT_EVENTS SUSPICIOUS OVH Shared Host SSL Certificate Observed In Use by Some Trojans",3
2012322,"ET TROJAN Possible TDSS User-Agent CMD",3
2009512,"ET TROJAN Suspicious User-Agent Session - Possible Trojan-Clicker",3
2009880,"ET MALWARE Casalemedia Spyware Reporting URL Visited 3",4
2018010,"ET TROJAN Suspicious UA ^IE[ds]",4
2010228,"ET POLICY Suspicious Microsoft Windows NT 6.1 User-Agent Detected",4
2007567,"ET TROJAN Zlob User Agent - updating unknown",4
23246,"SPYWARE-PUT Wajam Monitizer url download attempt - post infection",4
2018459,"ET WEB_SERVER SUSPICIOUS Possible WebShell Login Form Outbound",4
2803567,"ETPRO POLICY Suspicious User-Agent LuaSocket",4
2013224,"ET POLICY Suspicious User-Agent Containing .exe",4
2006409,"ET POLICY HTTP POST on unusual Port Possibly Hostile",4
2017670,"ET CURRENT_EVENTS SUSPICIOUS Word DOCX with Many ActiveX Objects and Media",4
2018505,"ET CURRENT_EVENTS food.com compromise hostile JavaScript gate",4
2016580,"ET CURRENT_EVENTS SUSPICIOUS Java Request to DynDNS Pro Dynamic DNS Domain",4
2007994,"ET MALWARE Suspicious User-Agent 1 space",4
2806411,"ETPRO MALWARE Suspicious User-Agent PI",4
2017771,"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classes used in awt exploits",4
2017319,"ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and 3 Letter Country Code",4
2002196,"ET MALWARE Casalemedia Spyware Reporting URL Visited 2",4
2016074,"ET TROJAN Backdoor.Win32.Skill.gk User-Agent",4
2003492,"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake Mozilla/4.0",4
2804911,"ETPRO WEB_CLIENT Microsoft Excel corrupted/hostile file invalid MergeCells.rgref.ref8.colLast value",4
2003470,"ET MALWARE Suspicious User-Agent Updater",4
2017912,"ET MALWARE W32/InstallRex.Adware Report CnC Beacon",4
2016933,"ET CURRENT_EVENTS SUSPICIOUS Java Request to Afraid.org Top 100 Dynamic DNS Domain May 28 2013",4
2003620,"ET MALWARE 51yes.com Spyware Reporting User Activity",4
2016582,"ET CURRENT_EVENTS SUSPICIOUS Java Request to NOIP Dynamic DNS Domain",4
2016699,"ET CURRENT_EVENTS SUSPICIOUS lsass.exe in URI",4
2009486,"ET TROJAN APT1 WEBC2-UGX Related Pingbed/Downbot User-Agent Windows+NT+5.x",4
2008276,"ET TROJAN Suspicious User-Agent contains loader",4
2005320,"ET TROJAN Suspicious User-Agent MyAgent",4
2002167,"ET POLICY Software Install Reporting via HTTP - Wise User Agent Wise Sometimes Malware Related",4
2017773,"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2465/2463",4
2018172,"ET CURRENT_EVENTS SUSPICIOUS Java Lang Runtime in Response",4
2012249,"ET USER_AGENTS Suspicious Win32 User Agent",4
2008986,"ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection",4
2008420,"ET TROJAN HTTP GET Request on port 53 - Very Likely Hostile",4
2802841,"ETPRO USER_AGENTS Suspicious User-Agent Setup Agent - Likely Malware",4
2803491,"ETPRO TROJAN Suspicious HTTP STOP Return - Trojan.Win32.FakeAV.cfty or Related Controller",4
2013256,"ET TROJAN Majestic12 User-Agent Request Outbound",4
2016754,"ET POLICY Internal Host Retrieving External IP via myip.dnsomatic.com - Possible Infection",4
2014534,"ET TROJAN OSX/Flashback.K/I User-Agent",4
2011227,"ET POLICY User-Agent NSIS_Inetc Mozilla - Sometimes used by hostile installers",4
2018301,"ET MALWARE Win32/Toolbar.CrossRider.A Checkin",4
2002400,"ET USER_AGENTS Suspicious User Agent Microsoft Internet Explorer",4
2003337,"ET MALWARE Suspicious User Agent Autoupdate",4
2003583,"ET MALWARE Suspicious User-Agent update",4
2008975,"ET TROJAN Suspicious Malformed Double Accept Header",4
2003219,"ET MALWARE Alexa Spyware Reporting",4
2017760,"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class file Accessing Security Manager",4
2008184,"ET TROJAN Suspicious User-Agent Installer",4
2008350,"ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile",4
2011800,"ET POLICY Abnormal User-Agent No space after colon - Likely Hostile",4
2806301,"ETPRO MALWARE Win32/AirAdInstaller.A User-Agent AirInstaller",4
2008255,"ET TROJAN Suspicious User-Agent IE",4
2001891,"ET USER_AGENTS Suspicious User Agent agent",4
2017767,"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing management MBeanServer",4
2017365,"ET TROJAN SUSPICIOUS UA iexplore",4
2804910,"ETPRO WEB_CLIENT Microsoft Excel corrupted/hostile file invalid SXLI BIFF record",4
2013031,"ET POLICY Python-urllib/ Suspicious User Agent",4
2805354,"ETPRO POLICY SUSPICIOUS POST to a zip file",4
2011124,"ET MALWARE Suspicious FTP 220 Banner on Local Port spaced",4
2017772,"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2471/2472/2473",4
2008985,"ET POLICY Internal Host Retrieving External IP via whatismyip.com Automation Page - Possible Infection",4
2010881,"ET WEB_CLIENT PDF With Unescape Method Defined Possible Hostile Obfuscation Attempt",4
2003055,"ET MALWARE Suspicious FTP 220 Banner on Local Port -",4
2808499,"ETPRO TROJAN Win32/Zemot User-Agent",4
2805815,"ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection",4
2011504,"ET WEB_CLIENT String Replace in PDF File, Likely Hostile",4
2803418,"ETPRO TROJAN Suspicious user agentMERONG",4
2018026,"ET MALWARE W32/BettrExperience.Adware Update Checkin",5
2016780,"ET MALWARE Adware.Win32/SProtector.A Client Checkin",5
2018323,"ET MALWARE W32/Linkular.Adware Successful Install Beacon 2",5
2806435,"ETPRO MALWARE Adware.Eorez Checkin",5
2808597,"ETPRO MALWARE Win32/Adware.MultiPlug.J Checkin",5
2808369,"ETPRO MALWARE Adware.InstallCore.B Checkin",5
2807050,"ETPRO MALWARE Win32/Adware.Lollipop Checkin 2",5
2808681,"ETPRO MALWARE Win32/InstallRex.Adware Checkin",5
2808696,"ETPRO MALWARE W32/iBryte.Adware Installer Download",5
2808069,"ETPRO MALWARE Adware.iBryte.Z Checkin",5
2808091,"ETPRO MALWARE Win32/AdWare.SmartApps Checkin",5
2018368,"ET MALWARE W32/PullUpdate.Adware CnC Beacon",5
2014122,"ET MALWARE W32/OpenCandy Adware Checkin",5
2018174,"ET MALWARE RelevantKnowledge Adware CnC Beacon",5
2807371,"ETPRO MALWARE AdWare.MSIL.Sancmed.p Checkin",5
2808159,"ETPRO MALWARE AdWare.Win32.WhiteSmoke Checkin",5
2807236,"ETPRO MALWARE Win32/AdWare.AddLyrics.T Checkin",5
2805193,"ETPRO MALWARE Adware Installer Requesting an exe BetterInstaller",5
2014605,"ET MALWARE W32/GameVance Adware Server Reponse To Client Checkin",5
2807336,"ETPRO MOBILE_MALWARE Android/Adware.Kuguo.C Checkin",5
2806053,"ETPRO MALWARE ADWARE/InstallCore.Gen Checkin",5
2013983,"ET MALWARE Adware-Win32/EoRezo Reporting",5
2808637,"ETPRO MOBILE_MALWARE Adware.Android.AppLovin.A Checkin",5
2018148,"ET MALWARE W32/InstallMonetizer.Adware Beacon 1",5
2018565,"ET MALWARE W32/RocketfuelNextUp.Adware CnC Beacon",5
2808620,"ETPRO MALWARE PUP Adware/Crossrider Checkin",5
2808262,"ETPRO MALWARE PUP Win32/GetNow.B Checkin",5
2018149,"ET MALWARE W32/InstallMonetizer.Adware Beacon 2",5
2017911,"ET MALWARE W32/InstallRex.Adware Initial CnC Beacon",5
2807267,"ETPRO MALWARE Adware.Conduit/Variant Checkin",5
2017136,"ET MALWARE Adware.Gamevance.AV Checkin",5
2805862,"ETPRO MOBILE_MALWARE Android/Adware.Uapush.A Checkin",5

Cloud-Based Sandboxing

Cloud-based Sandboxing refers to the ability of network security devices such as firewalls to:
icon-saas

  1. Query a database to see if some content traversing the network exhibits a known signature.
  2. Upload unknown suspicious content up to the sand-boxing cloud to see if it misbehaves.

The devil is in the detail..

How frequently is the cloud updated?devil-details

Most vendors do not like to share; they all create their own repository of signatures. If you want evidence on how purely this works submit a bad piece of Malware to Virus Total. You would be lucky to see more than 3 or 4 out of 54 vendors having a pre-existing signature. So, when a vendor tries to sell you their cloud-based sandbox for top dollars ask yourself: “Do I really want to pay for 1/54 of what I could get if a signed up with a signature sharing service such as Virus Total?”. I would not..

Is this really a Sandbox or more like an autopsy?

49412C34

 

Some vendors will try to sell you a Cloud-based sandbox for $1000s/year; but if you read the fine print, it will actually say that the processing time is 2 hours or more. This means that if you received an unknown email attachment, you would not know what to do with it for 2 hour or more. Some sand-boxing services are better and would give you an answer within minutes. So be careful what you sign up for..

How is MetaFlows Better?

blinders
For starters,we use Virus Total, so when checking for a content signature, you are using ALL Antivirus systems at once;

all 54 not 1.

Why would you rely on one vendor’s database?

 

Global-Collaboration

Recently, we started our own cloud-based, sand-boxing service. The rationale is that it complements the signature checking system when something is brand new and nobody in the world has seen it before (not even Virus Total!). A best-effort sand-boxing service comes standard with our appliances. Typically the sand-box can execute a sample anywhere from 90 seconds to 10 minutes or so (not 2 hours!). Our customers do not pay for this, because we feed this information back into the community though Virus Total. If we find a new bad email attachment, we notify our customer and block it; but we also help the community by letting the rest of the world know about it (we like sharing).

A paid service guarantees execution within 120 seconds and an on-site, sand-boxing appliance can reduce the time even further to approximately 30-60 seconds. When you pay for these services, we let you decide if you want to share or not; we hope you will share; but it is up to you.

Mine for Syslog

Data-Mining-2Just about any device in your network generates syslog events. That is why we now mine all syslog messages appearing in your network weather or not you know of their existence.

The software should be able to understand just about any type of syslog format now (while we continue to refine our parsing). If we do not understand it, we still provide it to you as a generic “unix” type. We set up a default minimum syslog priority of 4 (Warning) that can be customized to adjust the verbosity of the reporting to your preference. Most sites would want to stay at 4 otherwise it is like a fire-hose in most cases.

We are now collecting enough syslog data to also start correlating them with other types of events (IDS, Service Discovery, User Discovery, File Carving, NetFlow, etc.) in the cloud. This a very tall order since syslog data is usually quite bland and verbose. There might be some needles in there; but we definitively will need to use our COR language to find them. Let us know if you have a good heuristic; we will be glad to test it.

For now, besides a simple audit-trail, the syslog messages can also be used for trend analysis and somewhat reinforce what the other parts of our multifunctional system are saying. So, even though they do not provide a smoking gun, they are nice to have around.

 

Got Beacons?

Suppose you are a Malware designer and need to devise a mechanism to (1) find out which compromised zombies are available and (2) routinely perhaps provide some feedback on relying keystrokes, credit card numbers, and other valuable goodies like this.

A simple solution is to have your Malware send small infrequent messages back to your mother-ship masquerading the messages as some main-stream protocol like https or dns.

Well, that’s a beacon! If the Malware designers were to add some randomness in their communication, it would make the detection of beacons nearly impossible; but adding randomness also makes the management of possibly thousands of Zombies much harder. So, Beacons are usually very regular, they are also relatively easy to detect using high-school math.

Some Beacons are good. Did you know that Apple routinely gets beacons from all your I-devices? Proably not, because they are a vehicle for providing useful services (like where is the phone located, how fast is it travelling down the highway, etc..).

Some Beacons are very, very bad. And you should try to detect them. If you don’t you are letting the bad guy get away with it and steal your data.

Collaborate with An Audit Log

Audit Log

cloud-basedcorrelationThe MetaFlows Security System allows organizations to grant access to multiple users for online collaboration in sharing sensor data and intelligence. This is a big advantage because it helps distribute workloads across departments and at different levels of the incident response process. One issue customers brought up was the lack of ability to know who took what action, and at what time they did the action. This is why we added the Account Audit Log feature. You can find this feature under Account -> Account Audit Log. With this new Audit Log, you can track most account actions, including:

  • Changes to contact information and subscription
  • All account access
  • Sensor restarts
  • Creating, changing, or deleting:
    • Sensors
    • Classifications
    • Snort Rules
    • Report Specifications

For every logged action, we track the user, time, and IP address from which these actions originated. We also provide extra details if available.

New Packet Logging and File Carving

carvingPacket Logging and File Carving

Being able to go back and look at the payloads or files transmitted on a network is extremely useful for several reasons:

  1. If you do not have the payload, you cannot really prove malicious intent, and legally you are on the hook.
  2. Payloads/Files are the ultimate forensic tool to decide if a particular incident is a false positive or a true positive.
  3. In more advanced systems payloads can also be used to find false negatives (things should have caused a security event but did not).

Obviously logging all data transferring on a network is challenging because disk space is limited and disks are relatively slow.

The MetaFlows Security System Logging Approach

Our overall approach to overcoming logging limitation is:

  • We store Payloads/Files that are associated with a specific security alert (using the time and the source/destination addresses and ports for identification)
  • When logging proactively (to also see Payloads/Files that do not involve a security alert), keep the disk at 90% utilization or below a certain number of Gigabytes by deleting the older logs.

This scheme gives you certainty of access if there is an incident and a time window to go back in time to look for certain things that might have been overlooked.

Recent Improvements

The Logging and File carving system has been vastly improved by the following:

  1. We now index the packets based on IP addresses using a proprietary approach. Instead of looking for particular packets in a big bucket full of files, the files are divided in smaller buckets each representing a subset of the addresses. This indexing scheme slows down packet logging a bit but makes looking for packets about 200 times faster!
  2. We added the ability to specify user-defined logging policies. Once a policy hits, the logging system prioritizes all packets for the matching policy and stores the Files/payloads in a separate high-priority repository which takes precedence over the normal logging. We will make a separate announcement on the policy specification because it is quite powerful and complex, and requires a dedicated post. For now, the only logging policy is to prioritize any packets involved in high priority events. In the future users will be able to customize more precise ad-hoc policies based on IP addresses, ports, and type of alerts.
The new carving system is backward compatible and automatically converts the existing packet logs stored on the sensor hard drive to the new indexing scheme. This process can take from a few minutes to days depending on your disk size. While this conversion takes place, queries on older logs may not return any data.

Quick Search

November 25 2013. We added a search input field on the top left to quickly find events that interest you. Simply separate multiple search strings with a space. For example, bitorrent inbound would search for all events containing the words bittorrent and inbound. You can also specify partial or fully specified IP addresses like 192.168.1. or 192.168.1.1 as part of the query to look for specific IPs.

Better Logging

November 8 2013. Snort now logs in unified2 format which should give better logging of the offending packets. When a packet query comes in, the sensor automatically translates unified2 to pcap and then searches for your data.

Got Torrents?

September 26 2013. We now log all Bittorrent uploads and downloads (including the ones initiated using magnet links). Additionally, we have added a menu item called Files to the historical menu to make searching for all file transfers a bit easier; you can create classifications to easily find or email torrent transfers using a regex match on the Log Events field; just look for “torrent”.