In the last few days I have seen alerts for berbew.jb C2 traffic(192730665) and dynamer.bayo C2 traffic(192442683). The odd thing here is that in the alert the same url is being accessed (ad.afy11.net/ad?mode=7&publisher_dsp_id=67&external_user_id=XXXXXXXXXXXXXXXXXXX) and this seems like it should just be web advertising. I have checked the system with multiple AV products and it comes back clean.
From what I have read these signatures were created by wildfire. Perhaps there is a false positive here? Is there somewhere that a person could get more technical details on the traffic that is sent by these C&C communications?
I would look to google for more info on those topics. However because AD's are sometimes redirected 50 ways to Sunday, we block the category since they are more of a nusance and/or threat than anything else.
Open a case with Palo Alto Networks Support to analyze whether these are FP's.
If these are indeed Ads and not Malware, then the signatures should be disabled.
We're seeing the same traffic. Hits on VT are mostly for adware, and few for Trojan but no IOC details are available. Sites users are visiting does not appear to be consistent either. We don't have PCAP available for this signature traffic as this signature if MEDIUM.
Any updates from PAN?
I was going to open a ticket but thought that I should have PCAPs first ... go figure the traffic isn't happening anymore or the signatures are not being tripped. One or the other, either way the symptoms are gone and the systems/traffic is coming out as clean by multiple systems now.
We opened a ticket @ PAN
The URL ad.afy11.net is used by advertising providers, the clients which hit the URL are clean. (@DIRTT already mentioned this)
The two threads IDs are disabled because of false-positive hits.
"The signature TID 192442683 has been disabled starting from 01/20/2018 therefor it should not be triggered once the customer updates AV database to the latest version."
It seems that are currently many changes to C2C / ad traffic and most of them are false-positives (in our case).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!