In the last few days I have seen alerts for berbew.jb C2 traffic(192730665) and dynamer.bayo C2 traffic(192442683). The odd thing here is that in the alert the same url is being accessed (ad.afy11.net/ad?mode=7&publisher_dsp_id=67&external_user_id=XXXXXXXXXXXXXXXXXXX) and this seems like it should just be web advertising. I have checked the system with multiple AV products and it comes back clean.
From what I have read these signatures were created by wildfire. Perhaps there is a false positive here? Is there somewhere that a person could get more technical details on the traffic that is sent by these C&C communications?