This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcement Banner

Scheduled Maintenance for the Case Portal during May 27-29

View Details
  • NetWitness Community
  • Blog
  • Detecting Sinkholed Domains in Your Environment

Detecting Sinkholed Domains in Your Environment

RSAAdmin
RSAAdmin Beginner
Beginner
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
‎2013-12-30 05:56 PM

Over the past 90 days the RSA FirstWatch team has seen over 140 Dynamically Generated Algorithmic (DGA) Domains associated with a CryptoLocker variant that has been sinkholed, preventing the ransomware from locking up victim computers.  In this case, all of the domains are in the ".co.uk" Top Level Domain.

 

maxresults.JPG.jpg

 

Rather than providing a list of each of these domains, it is actually quite easier to detect these connection attempts to these hosts, and all of the others yet to appear, by looking for the unique server banner hosted at the Sinkhole Site.  Here is what a session of this traffic looks like:

 

gotserved.JPG.jpg

See the highlighted "You got served!" server banner?  Each of the 140 plus DGA connections each had this unique server banner.  This would make for a very easy rule to detect beaconing to this particular family of CryptoLocker.

 

You can add this to another Security Analytics capture detection capability to detect the keyword "sinkhole" in a DNS name, which is effective at detecting other sinkholed malicious sites.  The combination rule would be:

 

alias.host contains 'sinkhole' || server='You got served!'

Simply call the rule "Sinkholed Domains Warning Banners" and alert to your alerts field or SOC Alerts field, or perhaps risk.warning.

 

In addition, the same capture rule can be used as a custom query to search in the past for these specific meta elements, so you might be able to identify past sinkholed connection attempts.

 

Hope it works for you, and Happy Hunting!

 

Jan-31-2014 UPDATE!!

 

As a followup, we have identified several domains for this CryptoLocker variant that is not sinkholed.  Those domains are:

ghvoersorwsrgef.org, yebdbfsomgdbqu.biz, usyusdoctfpnee.org, gavhopncgfmdq.org, gtdipovkdxricgl.biz, hkhrkvaycqoocii.org, huqenkdqtoatvnc.biz, vipclsgsdejgbpr.net, jchvghemqbmsj.org, mdaodtaifpkqkk.org, wxntojirxraawe.org, tdneerhyvurglh.org, stmdjbsbhojxp.net, ftltwlsqhegsnav.org, cvlagtrfprixtf.com, oxgufearvtqkwh.org, iryymjeallxat.net, immokfiqmakoo.com, nrpqtoiavtaf.net, dsgyvstkmmkb.com, xtjpdaobtycsr.org, tlsylihoxxmvc.org, tavnxtjxqyyprsi.net, qcsmufbvungpdck.org, ypxnqheckgjkbu.org, ynqpivhnrlud.biz, xvaxsxbptmerjb.com, xktrpjxjpeaocs.biz, wqblsdgavfmnlmv.biz, wifgslrwgvxwsy.com, vtcyrmxkkxvrick.biz, puwttsskvnchdl.com, njwaeqaydhbh.org, lbgtnunjpgirnbm.com, hwuiingqeuubi.org, digvfgleengor.net, dhjicdgfykqoq.org, axqrgervreovhhc.biz

 

It would be easier to blacklist the following IP addresses since there may be many more DGA domains that we haven't seen.  Those IPs are:

188.65.211.137, 46.149.111.28, 95.59.26.43, 81.17.140.104, 109.234.154.254, 185.20.227.220, 195.210.47.118, 95.172.146.68, 144.76.192.130, 95.59.26.89, 93.189.44.187, 192.155.83.72, 83.69.233.25, 192.210.230.39

 

The best rule to detect this CryptoLocker Variant would be:

 

action=put && filename='<none>' && directory='/home/' && risk.info='http post missing content-type'

  • cryptolocker
  • Malware
  • NetWitness
  • NW
  • NWP
  • RSA NetWitness
  • RSA NetWitness Platform
  • security_analytics
  • sinkhole
0 Likes
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • CVE-2022-1388: BIG-IP iControl REST RCE Vulnerability
  • Ragnar Locker Ransomware: The Rampage Continues…
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
  • Exotic Lily: Global Activity Analysis
  • Threat Research Data Hygiene Exercise: Retirement of Threat Research Intelligence Content and Report...
  • Netwitness Orchestrator Dashboarding Overview
  • Highlights from Recent Releases - Here's What's New in NetWitness Platform 11.7 and 11.7.1
  • NetWitness News Bytes: Improved Broker Query Experience
  • NetWitness News Bytes: Meta Only Event Reconstruction
Labels
  • Announcements 52
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 57
  • Tutorials 21
  • Use Cases 21
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.