Command & Control or Just Ads?

Reply
L2 Linker

Command & Control or Just Ads?

In the last few days I have seen alerts for berbew.jb C2 traffic(192730665) and dynamer.bayo C2 traffic(192442683).  The odd thing here is that in the alert the same url is being accessed (ad.afy11.net/ad?mode=7&publisher_dsp_id=67&external_user_id=XXXXXXXXXXXXXXXXXXX) and this seems like it should just be web advertising.  I have checked the system with multiple AV products and it comes back clean.  

 

From what I have read these signatures were created by wildfire.  Perhaps there is a false positive here?  Is there somewhere that a person could get more technical details on the traffic that is sent by these C&C communications?

 

bayo.PNGberbew.PNG

L7 Applicator

Re: Command & Control or Just Ads?

Hello,

I would look to google for more info on those topics. However because AD's are sometimes redirected 50 ways to Sunday, we block the category since they are more of a nusance and/or threat than anything else.

 

Regards,

L6 Presenter

Re: Command & Control or Just Ads?

Open a case with Palo Alto Networks Support to analyze whether these are FP's.

If these are indeed Ads and not Malware, then the signatures should be disabled.

L0 Member

Re: Command & Control or Just Ads?

We're seeing the same traffic. Hits on VT are mostly for adware, and few for Trojan but no IOC details are available. Sites users are visiting does not appear to be consistent either. We don't have PCAP available for this signature traffic as this signature if MEDIUM. 

 

Any updates from PAN? 

L2 Linker

Re: Command & Control or Just Ads?

I was going to open a ticket but thought that I should have PCAPs first ... go figure the traffic isn't happening anymore or the signatures are not being tripped.  One or the other, either way the symptoms are gone and the systems/traffic is coming out as clean by multiple systems now.

L1 Bithead

Re: Command & Control or Just Ads?

We opened a ticket @ PAN

 

The URL ad.afy11.net is used by advertising providers, the clients which hit the URL are clean. (@DIRTT already mentioned this) 

 

Feedback:

The two threads IDs are disabled because of false-positive hits.

 

"The signature TID 192442683 has been disabled starting from 01/20/2018 therefor it should not be triggered once the customer updates AV database to the latest version."

 

It seems that are currently many changes to C2C / ad traffic and most of them are false-positives (in our case).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!