In a previous diary[1], I explained why the automatic processing of IOCs (Indicator of Compromise) could lead to false positives. Here is a practical example found yesterday. I captured the following malicious HTML page (MD5: b55a034d8e4eb4504dfce27c3dfc4ac3)[2]. It is part of a phishing campaign and tries to lure the victim to provide his/her credentials to get access to an Excel sheet. Nothing very dangerous for most people. It padding:5px 10px"> script type=text/javascript !-- document.write(unescape(%3c%68%74%6d%6c%3e%3c%68%65%61%64%3e ... ) //-- /script width:500px" />
Then, it renders the fake Excel sheet with a popup to enter an width:800px" />
The detected URLs are:
- hxxp://i.imgur.com/NcZJkGo.png: The dialog box
- hxxp://i.imgur.com/DS13EYq.png: The fake Excel sheet
imgur.comis a pictureexchange platform and is regularly usedto host such material. But the third request is different and looks totally legit:
- hxxp://tennistonic.com/mod/feedback/_graphics/ajax-loader-bar.gif
This last imageis an animated GIF that displays a loading bar (close to the Starting stringon the picture above).
There exists plenty of versions of this loader bar[3] and attackers like them. Its not unusual to see one on a malicious page to make it look more dynamic. The problem is that automation can categorize the website tennistonic.comas malicious and affect its reputation. If a tool decides to put the URL in alist of IOC padding:5px 10px"> RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?rootshell.be [NC] RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
Take care!
[1]https://isc.sans.edu/forums/diary/IOCs+Risks+of+False+Positive+Alerts+Flood+Ahead/21977/
[2]https://www.virustotal.com/en/file/ff9ca701cfe7fdccd7aa60d6368c1adc1c4282c030b05a2790bc9a968e870c13/analysis/
[3]https://www.google.be/search?q=ajax-loader-bar.gif
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key