01-10-2018 07:07 AM
In the last few days I have seen alerts for berbew.jb C2 traffic(192730665) and dynamer.bayo C2 traffic(192442683). The odd thing here is that in the alert the same url is being accessed (ad.afy11.net/ad?mode=7&publisher_dsp_id=67&external_user_id=XXXXXXXXXXXXXXXXXXX) and this seems like it should just be web advertising. I have checked the system with multiple AV products and it comes back clean.
From what I have read these signatures were created by wildfire. Perhaps there is a false positive here? Is there somewhere that a person could get more technical details on the traffic that is sent by these C&C communications?
01-10-2018 02:28 PM
I would look to google for more info on those topics. However because AD's are sometimes redirected 50 ways to Sunday, we block the category since they are more of a nusance and/or threat than anything else.
01-12-2018 01:37 PM
We're seeing the same traffic. Hits on VT are mostly for adware, and few for Trojan but no IOC details are available. Sites users are visiting does not appear to be consistent either. We don't have PCAP available for this signature traffic as this signature if MEDIUM.
Any updates from PAN?
01-22-2018 01:15 PM
I was going to open a ticket but thought that I should have PCAPs first ... go figure the traffic isn't happening anymore or the signatures are not being tripped. One or the other, either way the symptoms are gone and the systems/traffic is coming out as clean by multiple systems now.
02-06-2018 03:51 AM
We opened a ticket @ PAN
The URL ad.afy11.net is used by advertising providers, the clients which hit the URL are clean. (@DIRTT already mentioned this)
The two threads IDs are disabled because of false-positive hits.
"The signature TID 192442683 has been disabled starting from 01/20/2018 therefor it should not be triggered once the customer updates AV database to the latest version."
It seems that are currently many changes to C2C / ad traffic and most of them are false-positives (in our case).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!