• Support
  • Forums
  • Blogs

CC Activity with Domain Controller as Source

owl06owl06

New Life Form
Hi all,







p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; -webkit-text-stroke: #000000}
p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; -webkit-text-stroke: #000000; min-height: 14.0px}
p.p3 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; color: #0069d9; -webkit-text-stroke: #0069d9}
span.s1 {font-kerning: none}
span.s2 {font-kerning: none; color: #000000; -webkit-text-stroke: 0px #000000}
span.s3 {text-decoration: underline ; font-kerning: none; -webkit-text-stroke: 0px #0069d9}
span.Apple-tab-span {white-space:pre}

Yesterday, Alienvault detected command and control communication indicative of Zeus DGA malware under alarm "AlienVault NIDS: "ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses”. The source was our primary Domain Controller (Windows Server), with the destination of 10.0.8.3 on the employee BYOD network. We were unable to locate the 10.0.8.3 device (it did have a MAC address listed), and another alarm started again around 5am this morning. I'm not 100% sure how to interpret this, but am fairly sure an Android device is involved given the payload. This was occurring over Port: 61724 via UDP.


There has been significant activity for Zeus on Alienvault’s Open Threat Exchange over the past 10 days or so.


More details:

SOURCE

(our domain controller) [its IP]

Hostname: (the domain controller) Location: N/A

MAC Address: 00:0C:29:9E:0D:97 Context: N/A

Port: 53 Asset Groups: HIDS, Servers

Latest update: N/ANetworks: Pvt_010

Username & Domain: N/ALogged Users: N/A

Asset Value: 3OTX IP Reputation: No


DESTINATION

Host-10-0-8-3 [10.0.8.3]

Hostname: Host-10-0-8-3Location: N/A

MAC Address: 20:2D:07:33:56:3CContext: N/A

Port: 61724Asset Groups: N/A

Latest update: N/ANetworks: Pvt_010

Username & Domain: N/ALogged Users: N/A

Asset Value: 2OTX IP Reputation: No


File: emerging_pro-trojan.rules

Rule: alert udp any 53 -> $HOME_NET any

msg: "ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses"

byte_test: 1,&,128,2

byte_test: 1,&,1,3

byte_test: 1,&,2,3

content: "|00 01 00 00 00 01|"

offset: 4

depth: 6

pcre: "/^..[\x0d-\x20][a-z]{13,32}(?

threshold: type both, track by_dst, count 12, seconds 120

reference: url,vrt-blog.snort.org/2014/03/decoding-domain-generation-algorithms.html

classtype: trojan-activity

sid: 2018316

rev: 4


File: emerging_pro-trojan.rules

Rule: alert udp any 53 -> $HOME_NET any

msg: "ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses"

byte_test: 1,&,128,2

byte_test: 1,&,1,3

byte_test: 1,&,2,3

content: "|00 01 00 00 00 01|"

offset: 4

depth: 6

pcre: "/^..[\x0d-\x20][a-z]{13,32}(?

threshold: type both, track by_dst, count 12, seconds 120

reference: url,vrt-blog.snort.org/2014/03/decoding-domain-generation-algorithms.html

classtype: trojan-activity

sid: 2018316

rev: 4


PAYLOAD

length = 191


000 : d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00   ................

010 : 97 00 00 00 01 00 00 00 aa d0 cf 58 6d e4 04 00   ...........Xm...

020 : 97 00 00 00 97 00 00 00 00 00 5e 00 01 fd cc d8   ..........^.....

030 : c1 6e a6 56 08 00 45 00 00 89 36 53 40 00 7f 11   .n.V..E...6S@..

040 : a8 f0 0a 00 00 1e 0a 00 08 03 00 35 f1 1c 00 75   ...........5...u

050 : 31 4f d1 2d 81 83 00 01 00 00 00 01 00 00 0e 6d   1O.-...........m

060 : 6f 62 69 6c 61 64 76 65 72 74 69 6e 67 03 6e 65   obiladverting.ne

070 : 74 00 00 01 00 01 c0 1b 00 06 00 01 00 00 03 68   t..............h

080 : 00 3d 01 61 0c 67 74 6c 64 2d 73 65 72 76 65 72   .=.a.gtld-server

090 : 73 c0 1b 05 6e 73 74 6c 64 0c 76 65 72 69 73 69   s...nstld.verisi

0a0 : 67 6e 2d 67 72 73 03 63 6f 6d 00 58 cf d0 81 00   gn-grs.com.X....

0b0 : 00 07 08 00 00 03 84 00 09 3a 80 00 01 51 80      .........:...Q.

Share post:

Best Answer

  • Answer ✓
    I have also seen an increase in this.  Investigation and analysis of the device did not show any indications of malware.  Seems to be an OTX signature that needs some tuning.
    owl06

Answers

Sign In or Register to comment.