This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- NetWitness Community
- Blog
- The Zeros Netblock Indicator of Compromise
RSAAdmin
Beginner
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
2014-05-08
12:27 PM
The 0.0.0.0/8 Network Address Range is an IANA reserved netblock that could be used for internal hosts, just like the 10.0.0.0/8 network is often used on corporate networks. I've been on quite a few corporate networks in my career, and I haven't often seen the Zeros netblock used internally. But we do see this network destination associated with various malware campaigns.
Most recently we have seen a spate of various versions of the "Win32/Fujacks" virus. Once infected, a machine will make specific calls to Command and Control domains which seem to be temporarily parked in the Zeros netblock. Two great writeups on this behavior is located at TotalHash.com here and here. If you look at the domain names, you can see how the current campaign uses various hosts at the nba1001.com domain. Previously the same malware used NS5000wip.com and before that it used nslook00x.com.
One thing they all have in common is a set of public IP addresses and several private IPs in the zeros netblock.
Some APT threat actors have also been known to park domains temporarily in the zeros netblock either between campaigns, or in preparation of a new campaign.
In addition, it appears that some anti-malware groups are sinkholing some domains by pointing them to addresses in the zero space.
But if you are not using the zeros netblock internally, you should likely consider any attempts to communicate with that network as a probable indicator of compromise.
A simple rule in Security Analytics (or even firewalls, IPSes, etc!) to alert on connection attempts to this block is:
ip.dst=0.0.0.0/8 and name the rule "Zeros Netblock IOCs"
Attached is a PCAP showing this Fujacks worm in action. You can see how it attempts to spread to other network hosts, as well as how it beacons out to the nba1001 domains. You can use this PCAP for testing the above rule or for demonstration purposes. All domains listed in the TotalHash reports had previously been added to the FirstWatch C2 domains feeds to assist customers with detection of this threat.
Good luck and Happy Hunting!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Latest Articles
- Using NetWitness to Detect Phishing reCAPTCHA Campaign
- Netwitness Platform Integration with Amazon Elastic Kubernetes Service
- Netwitness Platform Integration with MS Azure Sentinel Incidents
- Netwitness Platform Integration with AWS Application Load Balancer Access logs
- The Sky Is Crying: The Wake of the 19 JUL 2024 CrowdStrike Content Update for Microsoft Windows and ...
- The Sky Is Crying: The Wake of the 19 JUL 2024 CrowdStrike Content Update for Microsoft Windows and ...
- New HotFix: Addresses Kernel Panic After Upgrading to 12.4.1
- Automation with NetWitness: Core and NetWitness APIs
- HYDRA Brute Force
- DDoS using BotNet Use Case
Labels
-
Announcements
64 -
Events
12 -
Features
12 -
Integrations
15 -
Resources
68 -
Tutorials
32 -
Use Cases
31 -
Videos
119
