[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    Re: [Emerging-Sigs] 2021088 ambiguous message
From:       Noah Dunker <ndunker () riskanalytics ! com>
Date:       2015-06-11 19:24:54
Message-ID: CAGGVDNHyeOF+VxvH+bJw-3oe0VJL3Cg_2+OcKFvsbyUTf1y2nA () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


I didn't mean hold back on analyzing it. I meant "Hold back on changing the
message to 'Kazy variant' because I got confused, spoke too soon, and I
don't really think it's Kazy."  My team doesn't really care what it's
called, but end users might. We saw it come along for the ride with Angler
in this case.


<https://riskanalytics.com/>


*Noah Dunker*Director of Security Labs
Office / 913.685.6517
Mobile / 913.259.4447
ndunker@riskanalytics.com

[image: RiskAnalytics] <https://riskanalytics.com/>  [image: Twitter]
<https://twitter.com/riskanalytics>  [image: LinkedIn]
<http://goo.gl/nKahlh>  [image: Facebook]
<https://www.facebook.com/riskanalytics?fref=ts>
CONFIDENTIAL:
The information in this email (and any attachments) is confidential.  If
you are not the intended recipient, you must not read, use or disseminate
the information.  Please reply to the sender and take the steps necessary
to delete the message completely from your computer system. Although this
email and any attachments are believed to be free of any virus or other
defect that might affect any computer system into which it is received and
opened, it is the responsibility of the recipient to ensure that it is
virus free and no responsibility is accepted by RiskAnalytics, LLC for any
loss or damage arising in any way from its use.

On Thu, Jun 11, 2015 at 1:48 PM, Will Metcalf <
wmetcalf@emergingthreatspro.com> wrote:

> >Searching for the reference MD5 in the SID on TotalHash (why didn't we
> try that first?!) validates the Kazy...
>
> Based on the fact that it was "Unknown Downloader" to begin with means
> more than likely means that when we wrote the rule it was being dropped by
> EK's, had 0 VT detections, we knew it was evil and wanted to get something
> out the door. So if you are suggesting that we should hold back detection
> to give your analysts a proper name thats not going to happen.
> Additionally if your goal is to have less ambiguous name I don't think
> changing the rule msg to "Kazy Variant" will accomplish that.
>
> Regards,
>
> Will
>
> On Thu, Jun 11, 2015 at 12:33 PM, Noah Dunker <ndunker@riskanalytics.com>
> wrote:
>
>> http://docs.emergingthreats.net/2021088
>>
>> The last update to this SID changed the message from "Unknown Downloader
>> CnC" to "Win32/Agent.WVW CnC." My team has seen this in the wild and it's
>> clearly a Kazy variant, with ESET Nod32 appearing to be the only vendor
>> that uses the "WVW" name.  I'd posit that Kazy is a much more recognizable
>> name to incident responders.
>>
>> Searching for the reference MD5 in the SID on TotalHash (why didn't we
>> try that first?!) validates the Kazy ties.
>> https://totalhash.cymru.com/analysis/2315a52f210b8c41b85e95079c87c29d1979cc7e
>>
>>
>> *Noah Dunker*Director of Security Labs
>> Office / 913.685.6517
>> ndunker@riskanalytics.com
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs@lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>>
>

[Attachment #5 (text/html)]

<div dir="ltr">I didn&#39;t mean hold back on analyzing it. I meant &quot;Hold back \
on changing the message to &#39;Kazy variant&#39; because I got confused, spoke too \
soon, and I don&#39;t really think it&#39;s Kazy.&quot;   My team doesn&#39;t really \
care what it&#39;s called, but end users might. We saw it come along for the ride \
with Angler in this case.</div><div class="gmail_extra"><br clear="all"><div><div \
class="gmail_signature"><div dir="ltr"><div><div dir="ltr">







<table border="0" cellspacing="0" cellpadding="0" \
style="color:rgb(136,136,136);font-size:12.8000001907349px;border-collapse:collapse;border:none"><tbody><tr><td \
width="113" valign="top" style="width:113.4pt;border-style:none solid none \
none;border-right-color:rgb(247,150,70);border-right-width:1pt;padding:0in 5.4pt"><p \
align="center" style="text-align:center"><br><a href="https://riskanalytics.com/" \
style="color:rgb(17,85,204)" target="_blank"><img \
src="http://goo.gl/8ENUhC"></a></p></td><td width="329" valign="top" \
style="width:329.4pt;border:none;padding:0in 5.4pt"><p><b><span \
style="font-family:Arial;color:rgb(255,120,0)">Noah Dunker<br></span></b><span \
style="font-size:8pt;font-family:Arial;color:rgb(127,127,127)">Director of Security \
Labs<br></span><span \
style="font-size:8pt;font-family:Arial;color:rgb(255,120,0)">Office /</span><span \
style="font-size:8pt;font-family:Arial">  <span style="color:rgb(127,127,127)"><a \
href="tel:913.685.6517" value="+19136856571" style="color:rgb(17,85,204)" \
target="_blank">913.685.6517</a><br></span></span><span \
style="font-family:Arial;font-size:8pt;color:rgb(255,120,0)">Mobile /</span><span \
style="font-family:Arial;font-size:8pt">  </span><span \
style="font-family:Arial;font-size:8pt"><font color="#7f7f7f"><a \
href="tel:913.259.4447" value="+19132195292" style="color:rgb(17,85,204)" \
target="_blank">913.259.4447</a><br></font></span><a \
href="mailto:ndunker@riskanalytics.com" \
style="color:rgb(17,85,204);font-family:Arial;font-size:8pt" \
target="_blank">ndunker@riskanalytics.com</a></p><p><span \
style="font-size:8pt;font-family:Arial;color:rgb(247,150,70)"><a \
href="https://riskanalytics.com/" style="color:rgb(17,85,204)" target="_blank"><img \
src="https://riskanalytics.com/email_icons/RA_home.png" alt=" RiskAnalytics"></a>    \
<a href="https://twitter.com/riskanalytics" style="color:rgb(17,85,204)" \
target="_blank"><img src="https://riskanalytics.com/email_icons/twitter.png" alt=" \
Twitter"></a>    <a href="http://goo.gl/nKahlh" style="color:rgb(17,85,204)" \
target="_blank"><img src="https://riskanalytics.com/email_icons/linkedin.png" alt=" \
LinkedIn"></a>    <a href="https://www.facebook.com/riskanalytics?fref=ts" \
style="color:rgb(17,85,204)" target="_blank"><img \
src="https://riskanalytics.com/email_icons/fb.png" alt=" \
Facebook"></a></span></p></td></tr></tbody></table><span \
style="font-size:12.8000001907349px">CONFIDENTIAL:</span><br \
style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">The \
information in this email (and any attachments) is confidential.   If you are not the \
intended recipient, you must not read, use or disseminate the information.   Please \
reply to the sender and take the steps necessary to delete the message completely \
from your computer system. Although this email and any attachments are believed to be \
free of any virus or other defect that might affect any computer system into which it \
is received and opened, it is the responsibility of the recipient to ensure that it \
is virus free and no responsibility is accepted by RiskAnalytics, LLC for any loss or \
damage arising in any way from its use.</span><br></div></div></div></div></div> \
<br><div class="gmail_quote">On Thu, Jun 11, 2015 at 1:48 PM, Will Metcalf <span \
dir="ltr">&lt;<a href="mailto:wmetcalf@emergingthreatspro.com" \
target="_blank">wmetcalf@emergingthreatspro.com</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div><div>&gt;Searching for the reference MD5 \
in the SID on TotalHash (why didn&#39;t we try that first?!) validates the Kazy... \
<br><br>Based on the fact that it was &quot;Unknown Downloader&quot; to begin with \
means more than likely means that when we wrote the rule it was being dropped by \
EK&#39;s, had 0 VT detections, we knew it was evil and wanted to get something out \
the door. So if you are suggesting that we should hold back detection to give your \
analysts a proper name thats not going to happen.   Additionally if your goal is to \
have less ambiguous name I don&#39;t think changing the rule msg to &quot;Kazy \
Variant&quot; will accomplish \
that.<br><br></div>Regards,<br><br></div>Will<br></div><div \
class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Thu, Jun 11, \
2015 at 12:33 PM, Noah Dunker <span dir="ltr">&lt;<a \
href="mailto:ndunker@riskanalytics.com" \
target="_blank">ndunker@riskanalytics.com</a>&gt;</span> \
wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div \
dir="ltr"><a href="http://docs.emergingthreats.net/2021088" \
target="_blank">http://docs.emergingthreats.net/2021088</a><div><br></div><div>The \
last update to this SID changed the  message from &quot;Unknown Downloader CnC&quot; \
to &quot;Win32/Agent.WVW CnC.&quot; My team has seen this in the wild and it&#39;s \
clearly a Kazy variant, with ESET Nod32 appearing to be the only vendor that uses the \
&quot;WVW&quot; name.   I&#39;d posit that Kazy is a much more recognizable name to \
incident responders.  </div><div><br></div><div>Searching for the reference MD5 in \
the SID on TotalHash (why didn&#39;t we try that first?!) validates the Kazy ties.  \
<a href="https://totalhash.cymru.com/analysis/2315a52f210b8c41b85e95079c87c29d1979cc7e" \
target="_blank">https://totalhash.cymru.com/analysis/2315a52f210b8c41b85e95079c87c29d1979cc7e</a></div><span><font \
color="#888888"><div><br></div><div><b \
style="color:rgb(136,136,136);font-size:12.8000001907349px"><span \
style="font-family:Arial;color:rgb(255,120,0)">Noah Dunker<br></span></b><span \
style="font-size:8pt;font-family:Arial;color:rgb(127,127,127)">Director of Security \
Labs<br></span><span \
style="font-size:8pt;font-family:Arial;color:rgb(255,120,0)">Office /</span><span \
style="color:rgb(136,136,136);font-size:8pt;font-family:Arial">  <span \
style="color:rgb(127,127,127)"><a href="tel:913.685.6517" value="+19136856571" \
target="_blank">913.685.6517</a><br></span></span><a \
href="mailto:ndunker@riskanalytics.com" style="font-family:Arial;font-size:8pt" \
target="_blank">ndunker@riskanalytics.com</a><br></div><div><br></div></font></span></div>
 <br></div></div><span class="">_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net" \
target="_blank">Emerging-sigs@lists.emergingthreats.net</a><br> <a \
href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
rel="noreferrer" target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
 <br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreats.net" rel="noreferrer" \
target="_blank">http://www.emergingthreats.net</a><br> <br>
<br></span></blockquote></div><br></div>
</blockquote></div><br></div>



_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net



[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic