DESCRIPTION NAME:

Grayware-related User-Agent string in header - HTTP (Request)

 CONFIDENCE LEVEL: HIGH
 SEVERITY INBOUND:
 SEVERITY OUTBOUND:
informational
Niedrig
Mittel
Hoch

 Überblick

This is Trend Micro detection for packets passing through HTTP network protocol that manifests hacking tool actions that can generally crack or break systems and network security measures. Hacking tools have different capabilities depending on the systems they have been designed to penetrate. System administrators and malicious actors may have the same approach in using hacking tools but have different intent. Both wanted to identify possible avenues for intrusion, but for system administrators it is to test the security of the system while malicious actors take advantage of this.

 Technische Details

Attack Phase: Command and Control Communication

Protocol: HTTP

Risk Type: SPYWARE

Threat Type: Grayware

Confidence Level: High

Severity: Low(Outbound)

DDI Default Rule Status: Enable

Event Class: Callback

Event Sub Class: Grayware

Behavior Indicator: Callback

APT Related: NO

 Lösungen

Network Content Correlation Pattern Version: 1.12439.00
Network Content Correlation Pattern Release Date: 21 Jan 2016

Immediate Action

  • If the host exhibiting this kind of network behavior is within the internal network, change all passwords of the host and ensure the use of strong passwords.
  • Strong passwords should contain upper case letters, lower case letters, digits, punctuation marks, and other symbols. Remove any unrecognizable files, software, or services.
  • Update your Trend Micro products and pattern files to the latest version.
  • Scan the host for possible malware detection and to clean any detected items.

Secondary Action

If scanning fails to detect a malware infection:

  1. If possible, disconnect the host from the network to prevent any further communication or malicious activities the malware may attempt.
  2. Run RootkitBuster to check through hidden files, registry entries, processes, drivers, and hooked system services.
  3. Use the Anti-Threat Toolkit (ATTK) tools to collect undetected malware information.
  4. Identify and clean threats with Rescue Disk, specific to suspected threats that are persistent or difficult-to-clean. Rescue Disk allows you to use a CD, DVD, or USB drive to examine your computer without launching Microsoft Windows.
  5. If the host exhibiting this kind of network behavior is in the external network, ensure the following to prevent risk of attacks:
    • Systems are not in default configuration
    • Firewall is enabled
    • Change all passwords of the host and ensure the use of strong passwords. Strong passwords should contain upper case letters, lower case letters, digits, punctuation marks, and other symbols.
    • Firmware of devices, routers, and other hardware are up to date. As well as the hosts and others that are visible to the external network, have their browsers, plugins, and operating systems fully updated with the latest patches.


    Nehmen Sie an unserer Umfrage teil