Threat Level: green Handler on Duty: Russ McRee

SANS ISC: ISC Blocked SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC Blocked

This morning at the ISC was a bit more interesting than usual.  As I was skimming through the emails I found the usual great submissions from readers, but what got my attention was an email from Iztok, and others, indicating that the ISC was inaccessible because the ISC site was placed on a blocklist by Cisco Talos.

This stuff happens to us now and then.  When you write about malware as much as the Handlers do it is bound to happen that we will get the odd false positive now and then.  But I don’t think that we have every been blocked by a research organization with the reach of Cisco Talos.  Now don’t get me wrong.  This diary is not to complain about the good people at Talos.  They do great work, and they were amazingly quick to unblock us once they were alerted to the issue. 

But as often happens here at the ISC, curiosity get the better of us and we set out to investigate how this might have happened.  The first bit of information that came back to us, from the good people at Cisco Talos, is that a piece of submitted malware tried to contact the ISC. This lead us to VirusTotal.  Just to be completely clear, we did not have any other information from Cisco Talos, so I might be barking up the wrong tree.  A Virustotal search for malware referring to isc.sans.edu found a piece of malware with a creation date in June of 2012 that was first submitted to VT on Friday August 14, 2020.  Seems rather coincidental.

This piece of malware, which has a 60 out of 68 detection rate as a Trojan backdoor, references a diary from in March of 2012.

Unfortunately this is where the investigation ends.  None of us could come up with a reason why a piece of malware would want to reference that diary. Speculation was that maybe it was used as a network connectivity check, but a check of the logs showed that the only hits to that diary are all by search engine crawlers.  If it was used for some nefarious purpose, it was lost in time.

If you have any ideas we would love to hear them via our contact form.

 

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Rick

311 Posts
ISC Handler
Aug 18th 2020
Is it me or is the quote from 2014 and the pointer to 2012?
Or Am I missing something that explains the 2 year offset?
hvdk

6 Posts
On VT, the compilation date is indeed 2012 (well, not a bullet-proof reference but... :-)
Xme

563 Posts
ISC Handler
It must've been the pixies! The invisible ones are the worst !
DomMcIntyreDeVitto

44 Posts

Sign Up for Free or Log In to start participating in the conversation!