There has been a recent increase in the number of automated Conficker/malware reports that we have been processing in recent days and the information we have suggests that it is related to a recent drive by download.
An attack started on the 7th June which involved compromising third party websites and directing visitors to the site where the payload was hosted ww.robint.us/u.js This domain has been taken over by a trusted third party Shadowserver who monitor internet wide malware infections, they have directed this domain their HTTP sinkholes for analysis. As we track traffic going to the Shadowserver HTTP sinkholes this has led to an increase in the number of false positives that may be present in our automated Conficker/malware reports.
Below is a short summary of the amount of flows we have logged to the Shadowserver HTTP sinkholes in the last 12 complete days, and it demonstrates an increase of approximately 40% to the norm occurring from the day the attack started on the 7th of June.
Date Number of flows to Shadowserver HTTP sinkhole
29th May 2687
30th May 2933
31st May 2561
1st June 3085
2nd June 2906
3rd June 2922
4th June 2789
5th June 2421
6th June 2491
7th June 4311
8th June 4922
9th June 4931
Therefore there is an increased probability that flows which we report in our automated Conficker/malware reports may not be infected hosts, but rather hosts who are visiting a compromised website and in turn attempting to download the malware payload which is inaccessible due to the Shadowserver takeover of the payload site. It would be advisable to match up the flows in these reports with the HTTP query strings if they are available in your logs to filter out some of these false positives, JANET CSIRT are unable to do this as we only record limited IP and some layer 4 details.
RSS Feed