Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cryptowall

Hi,

I am receiving alerts related to Cryptowall signature which was newly release. The detection are from Internal source.

I am wondering if this is also the same with BASH vulnerability signature which was revised due to false positives detection.

 

 

12 REPLIES
New Member

I'm seeing 100's of IP's

I'm seeing 100's of IP's being flagged by signature 4777/3, but so far all the systems that have been checked have been found not to have cryptowall. I believe we are seeing false positives.

New Member

I've also seen a few of these

I've also seen a few of these alerts coming in since the new S834 release and found no cryptowall on the triggering systems either so these do seem to be false positives.  Is it advisable that we disable this signature for the time being or is there a safer way to fine tune it to avoid these false positives? 

New Member

We're seeing the same thing.

We're seeing the same thing. The traffic that is triggering the alerts are web requests sent to various advertisement sites. The uri's seem to match the pattern in the signature, although they look non-malicious.

 

 

New Member

We are seeing this today too.

We are seeing this today too.  A few do seem to go to ad sites...others do not.  Computers scanned with the latest Malwarebytes and Symantec show up clean.   .

New Member

Same here, hundreds of web

Same here, hundreds of web request getting flagged as if we're attacking these sites, but all the packets are my clients requesting from them. There are alphanumeric strings that seem to match the signature of an attack, but to me they seem to be more of cookie junk. Other times, it's a simple html request with nothing that seems like it could match. I get a range of it being well-known websites like National Geographic or Yahoo, to several ad sites. Pretty certain all are false positives.

New Member

Hi,Our IPS shows this alert

Hi,
Our IPS shows this alert too.
Victim from LAN sends HTTP GET request to different advertisement sites.
This looks like FP but I found some recent threads/posts/blogs about "Malvertising" campaign created to "infect unsuspecting visitors with CryptoWall 2.0 ransomware on sites such as Yahoo, The Atlantic and AOL":
1. http://www.proofpoint.com/threatinsight/posts/malware-in-ad-networks-infects-visitors-and-jeopardizes-brands.php
2. http://forums.cnet.com/7723-6132_102-629128/malvertising-campaign-on-yahoo-aol-triggers-cryptowall/
3. http://threatpost.com/malvertising-campaign-on-yahoo-aol-triggers-cryptowall-infections/108987
Etc.
Therefore, behavior of victim seems suspicious.

New Member

Ours began tripping and

Ours began tripping and showing the 4777/3 as well at around 10:50 EST on 11/10.

 

 

The same thing is happening

The same thing is happening on our IPS, it is detecting traffic coming from our IronPort Web Filter which is apparently attacking Random Sites since the 10th of November.

Any news from Cisco in regards to this being a false positive, as there are a few people in our organisation getting excited about this.

 

 

New Member

Update your signatures, the

Update your signatures, the new signature is written to take into account the actual known C&C sites. It was updated last night it seems and I am no longer getting a flood.

New Member

Ours stopped as well.  I

Ours stopped as well.  I guess 834 started it and 835 stopped it.

 

 

Thanks Guys Ours has stopped

Thanks Guys

 

Ours has stopped now after the signatures were updated.

New Member

Odd that everyone is saying

Odd that everyone is saying that these are false positives.  Our IPS alerted about a number of hosts, an AV scan found crytpowall on all of the hosts that IPS has reported.  Furthur analysis discovered that the  malware was being served from the ads on trusted sites.  The advertisements exploited vulnerability in flash player and injected itself into iexplorer process without any interaction from the user. Our AV did not detect the initial injection as it does not have heuristics. I have not received any alerts since the signature was updated, I hope that it is still doing its job.

1106
Views
0
Helpful
12
Replies
CreatePlease to create content