NBC.com Attackers & ArcSight ESM

Detecting compromised hosts affected by Droppers on compromised NBC.com with a correlation engine

I was alerted the NBC.com by a really proactive collogue via a whitelist. Further digging lead me to an excellent dissection up by Dancho Danchev. This might be a watering hole or just a nice money making opportunity. Recently journalism websites have been targeted for Watering Holes, however money is usually the bigger reason.

How can ArcSight ESM or similar correlation engines for detection if any of your organization’s assets have been affected?

Proxy and DNS and some IPS/IDS & Firewalls monitoring can report domain names and IPv4 addresses. In most cases both domain name lists and IP address lists are helpful for basic proactive detection.

IP4 & Domain watch list from my collogue and the Dancho Danchev blog and two additional domains I found for a Filter.
Detection Ratio is
how many URL Scanners in Virus Total detected any malicious code:

IPv4

Domain Name

Detection Ratio

Reference1

Refence2

97.79.236.200

myauditionsite.com         

0/33

Virus Total Report

 

74.53.9.162

toplineops.com             

2/32

Virus Total Report

URLQuery.net

66.96.145.104

beautiesofcanada.com       

2/34

Virus Total Report

 

66.77.124.26

jaylenosgarage.com         

1/34

Virus Total Report

 

62.75.204.12

netbridgesolutions.net     

1/34

Virus Total Report

URLQuery.net

50.63.202.10

gotina.net                

0/34

Virus Total Report

URLQuery.net

173.254.28.49

shutterstars.com          

0/33

Virus Total Report

URLQuery.net

173.201.92.1

dedirt.com                 

0/33

Virus Total Report

 

173.201.92.1

madamerufus.com            

0/33

Virus Total Report

URLQuery.net

173.201.92.1

electricianfortwayne.info  

2/33

Virus Total Report

 

173.201.92.1

injurylawyercolumbus.info  

4/33

Virus Total Report

URLQuery.net

173.201.92.1

injurylawyercleveland.info 

3/34

Virus Total Report

 
 

dogsrit.com                

1/33

Virus Total Report

 

68.178.232.100

spiritualspice.us          

0/34

Virus Total Report

 

68.178.232.100

herbalstatelegal.com       

1/33

Virus Total Report

 

173.201.92.1

injurylawyerspringfieldmo.info

3/33

Virus Total Report

 

173.201.92.1

injurylawyerindianapolis.info

4/33

Virus Total Report

 

 

A list for Filters & or Active Lists to help verify infection or issue. Redirection or secondary related information after the infected, compromised website is visited and your organizations asset is possibly redirected to further mayhem.

IPv4

Domain Name

Reference1

Refence2

 

instantmoneymethod.net/1105/optin.html

URLQuery.net

Website Screen Shot

173.201.92.1

bvkdigital.us

URLQuery.net

 
 

methuenedge.com

URLQuery.net

Last Scanned 31/12/12

72.167.37.11

divergentinfosoft.com/images/logos.gif?1b761=1012329

URLQuery.net

 

173.201.92.1

bedbugsbyte.com

Contact

 

 

The attack is carried through the HTTP protocol.

How to detect via ArcSight ESM

  • Setup your Filter (s) “NBC-Com Suspect Attackers” which includes both the IP and the Domain Name information
    • Otherwise, Setup your Filter “NBC-Com Suspect Attackers_IP” if you only have IP logged data
    • Otherwise, Setup your Filter “NBC-Com Suspect Attackers_DN” if you only have IP logged data
  • Open a new Channel with log data from a Firewall, Web Proxy Server, DNS Server or any Connector which contains IPv4 or Domain Names
  • Set the dates of the Channel back to at least 21/02/2013
  • Add Protocol = HTTP & OR Port = 80 as a condition of the Channel
  • Add in the Filter(s) as a condition of the Channel
    • Protocol = HTTP & OR Port = 80
    • Filter = “NBC-Com Suspect Attackers”
  • Give the Channel time to load, adjusting the sliding timeline as required for performance and monitoring
  • Investigate hosts communicating with the suspect external actors
    • Assign higher priority to those end points which are most critical, try to communicate the most externally, behave in a strange manner or breach the perimeter.
    • I commonly add these suspect hosts to an Active List to observe as Potentially Compromised Hosts if they are not re-imaged or otherwise cleaned.
    • Use the data to build out a report showing how many compromised assets your department caught that anti-virus or anti-malware could not J

 

 


 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: