Command & Control or Just Ads?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Command & Control or Just Ads?

L2 Linker

In the last few days I have seen alerts for berbew.jb C2 traffic(192730665) and dynamer.bayo C2 traffic(192442683).  The odd thing here is that in the alert the same url is being accessed (ad.afy11.net/ad?mode=7&publisher_dsp_id=67&external_user_id=XXXXXXXXXXXXXXXXXXX) and this seems like it should just be web advertising.  I have checked the system with multiple AV products and it comes back clean.  

 

From what I have read these signatures were created by wildfire.  Perhaps there is a false positive here?  Is there somewhere that a person could get more technical details on the traffic that is sent by these C&C communications?

 

bayo.PNGberbew.PNG

5 REPLIES 5

Cyber Elite
Cyber Elite

Hello,

I would look to google for more info on those topics. However because AD's are sometimes redirected 50 ways to Sunday, we block the category since they are more of a nusance and/or threat than anything else.

 

Regards,

L7 Applicator

Open a case with Palo Alto Networks Support to analyze whether these are FP's.

If these are indeed Ads and not Malware, then the signatures should be disabled.

L0 Member

We're seeing the same traffic. Hits on VT are mostly for adware, and few for Trojan but no IOC details are available. Sites users are visiting does not appear to be consistent either. We don't have PCAP available for this signature traffic as this signature if MEDIUM. 

 

Any updates from PAN? 

I was going to open a ticket but thought that I should have PCAPs first ... go figure the traffic isn't happening anymore or the signatures are not being tripped.  One or the other, either way the symptoms are gone and the systems/traffic is coming out as clean by multiple systems now.

L1 Bithead

We opened a ticket @ PAN

 

The URL ad.afy11.net is used by advertising providers, the clients which hit the URL are clean. (@DIRTT already mentioned this) 

 

Feedback:

The two threads IDs are disabled because of false-positive hits.

 

"The signature TID 192442683 has been disabled starting from 01/20/2018 therefor it should not be triggered once the customer updates AV database to the latest version."

 

It seems that are currently many changes to C2C / ad traffic and most of them are false-positives (in our case).

  • 7624 Views
  • 5 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!