The same thing is happening

Jhun Banzuela · ‎11-09-2014

Hi,

I am receiving alerts related to Cryptowall signature which was newly release. The detection are from Internal source.

I am wondering if this is also the same with BASH vulnerability signature which was revised due to false positives detection.

bdsmith · ‎11-10-2014

I'm seeing 100's of IP's being flagged by signature 4777/3, but so far all the systems that have been checked have been found not to have cryptowall. I believe we are seeing false positives.

mitchen · ‎11-10-2014

I've also seen a few of these alerts coming in since the new S834 release and found no cryptowall on the triggering systems either so these do seem to be false positives. Is it advisable that we disable this signature for the time being or is there a safer way to fine tune it to avoid these false positives?

ADAM PYNE · ‎11-10-2014

We're seeing the same thing. The traffic that is triggering the alerts are web requests sent to various advertisement sites. The uri's seem to match the pattern in the signature, although they look non-malicious.

Terry S · ‎11-10-2014

We are seeing this today too. A few do seem to go to ad sites...others do not. Computers scanned with the latest Malwarebytes and Symantec show up clean. .

Edward Urban · ‎11-11-2014

Same here, hundreds of web request getting flagged as if we're attacking these sites, but all the packets are my clients requesting from them. There are alphanumeric strings that seem to match the signature of an attack, but to me they seem to be more of cookie junk. Other times, it's a simple html request with nothing that seems like it could match. I get a range of it being well-known websites like National Geographic or Yahoo, to several ad sites. Pretty certain all are false positives.

Vld Fuib · ‎11-10-2014

Hi,
Our IPS shows this alert too.
Victim from LAN sends HTTP GET request to different advertisement sites.
This looks like FP but I found some recent threads/posts/blogs about "Malvertising" campaign created to "infect unsuspecting visitors with CryptoWall 2.0 ransomware on sites such as Yahoo, The Atlantic and AOL":
1. http://www.proofpoint.com/threatinsight/posts/malware-in-ad-networks-infects-visitors-and-jeopardizes-brands.php
2. http://forums.cnet.com/7723-6132_102-629128/malvertising-campaign-on-yahoo-aol-triggers-cryptowall/
3. http://threatpost.com/malvertising-campaign-on-yahoo-aol-triggers-cryptowall-infections/108987
Etc.
Therefore, behavior of victim seems suspicious.

bradlesw1 · ‎11-11-2014

Ours began tripping and showing the 4777/3 as well at around 10:50 EST on 11/10.

christopher.diakiw · ‎11-11-2014

The same thing is happening on our IPS, it is detecting traffic coming from our IronPort Web Filter which is apparently attacking Random Sites since the 10th of November.

Any news from Cisco in regards to this being a false positive, as there are a few people in our organisation getting excited about this.

Edward Urban · ‎11-12-2014

Update your signatures, the new signature is written to take into account the actual known C&C sites. It was updated last night it seems and I am no longer getting a flood.

bradlesw1 · ‎11-13-2014

Ours stopped as well. I guess 834 started it and 835 stopped it.

christopher.diakiw · ‎11-13-2014

Thanks Guys

Ours has stopped now after the signatures were updated.

ebell · ‎11-14-2014

Odd that everyone is saying that these are false positives. Our IPS alerted about a number of hosts, an AV scan found crytpowall on all of the hosts that IPS has reported. Furthur analysis discovered that the malware was being served from the ads on trusted sites. The advertisements exploited vulnerability in flash player and injected itself into iexplorer process without any interaction from the user. Our AV did not detect the initial injection as it does not have heuristics. I have not received any alerts since the signature was updated, I hope that it is still doing its job.