This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Zeus C&C Server Poses as Google to Evade Detection

RSAAdmin
Beginner
Beginner
‎2013-04-17 04:22 PM

I found something pretty unusual in our sandbox today.  It appeared to be a dead ringer for Zeus-style C&C communications, but the webserver, hosted in Russia, was climing to be www.google.com.  This is what it looked like in Security Analytics:

 

google-evasion2.JPG.jpg

google-evasion3.JPG.jpg

google-evasion4.JPG.jpg

And when I drilled into it, this is the Zeus-style query and response:

google-evasion.JPG.jpg

I looked up the IP address and it has been associated with malware in the past.  But this is the first instance I can recall of a host that is masquerading as someone else to avoid detection.  Remember, the alias.host meta key is only populated by what the destination server claims that it is.  SA does not do any independent DNS lookups on the IP destinations. 

 

The destination IP has been added to our RSA FirstWatch C2 IP feeds available for deployment via Live.

© 2022 RSA Security LLC or its affiliates. All rights reserved.