As you'll see from the above link, the Websense File Sandboxing technology extracted an scr file from a zip, detonated it, and, watched the behavior. As has been all too common of late, the malware performed an HTTP Get to Major's domain. Is that his problem? No. His only problem is that he's created a useful tool to identify source IP Addresses via the cli. Some malware authors now leverage this to determine the geolocation of their victims.
HOWEVER, you can certainly leverage his domain as a "Canary in the Coal Mine". Meaning, if a PC is attempting to connect via TCP:80 to 64.182.208.183... it's likely not for activity related to the generation of revenue. At least not your revenue. :-)
Looking for another Leading Indicator? Check your logs for access to the link shown below (within the image in grey towards the bottom). As you'll see, only 1 of 63 Web Security companies are currently detecting a problem with this site. Then, check out this Websense File Sandbox report from early this morning and you'll see why that is an issue.
Contact ESPO Systems if you'd like more information on how you can detect and protect your organization against these attacks.
No comments:
Post a Comment