RSA FirstWatch monitors Sandbox Clusters to identify malware trends to develop detection capabilities for its Enterprise Customers. With new detection capabilities, this space will be used to explain threats and how to detect them.
I was investigating a non-related issue via the Urlquery.Net portal when I spotted an unusual trend- several urls each called for a filename called "logos.gif" followed by a 12 character hex and numeric query. A screenshot of it is below:
Further research describes this activity as the Sality Worm, or as Sophos calls it, the KooKoo worm. You can see writeups here and here.
So I began to wonder if we had seen similar activity in our own malware sandbox. I created a custom query:
filename=logos.gif && query length 12 && query contains '='
And I went back in our timeline and there were certainly some hits. And I also noticed that there was a common malicious user-agent string associated with this activity which is also handy to detect the Sality-KuKu worm. The second rule to detect this activity would mere be:
client contains 'kuku '
Attached to this post is a NetWitness Rule File that can be imported into Security Analytics. Happy Hunting!
