https://community.cisco.com/t5/network-security/retrospective-malware-swf-exploit-kit-tht-talos/m-p/2800485#M44343 <P>This morning I received a relatively large number of detections for&nbsp;<SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;">SWF.Exploit.Kit.tht.Talos . &nbsp;They show as coming from multiple IP addresses within the last several&nbsp;days, with the first one on 12/9. &nbsp;</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;">The file name is listed as adsapi.swf</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;">The Hash shows up as malware on 2 engines on virustotal: &nbsp;<A href="https://www.virustotal.com/en/file/59ceffed73c5bb616d78416096c207d4334c91d5c718e82c355766ca9af8aa87/analysis/" target="_blank">https://www.virustotal.com/en/file/59ceffed73c5bb616d78416096c207d4334c91d5c718e82c355766ca9af8aa87/analysis/</A></SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;"></SPAN>Sha256: 59ceffed73c5bb616d78416096c207d4334c91d5c718e82c355766ca9af8aa87</P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;">&nbsp;I have used Dig on multiple public IP addresses that show as the source and they all come back as having a PTR to hosts in the 1e100.net domain. &nbsp;That shows up as belonging to Google, and is claimed to be used to identify servers on their network.</SPAN></P> <P><SPAN style="text-decoration: underline; font-size: 14pt;"><STRONG><FONT face="Calibri, sans-serif">Is this retrospective malware detection a false positive, or were&nbsp;a large number of hosts downloading malware over the last week?</FONT></STRONG></SPAN></P> <P><SPAN style="font-size: 10pt;">Thank You, Alan</SPAN></P> Sun, 10 Mar 2019 13:31:36 GMT awaggoner 2019-03-10T13:31:36Z https://community.cisco.com/t5/network-security/retrospective-malware-swf-exploit-kit-tht-talos/m-p/2800485#M44343 <P>This morning I received a relatively large number of detections for&nbsp;<SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;">SWF.Exploit.Kit.tht.Talos . &nbsp;They show as coming from multiple IP addresses within the last several&nbsp;days, with the first one on 12/9. &nbsp;</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;">The file name is listed as adsapi.swf</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;">The Hash shows up as malware on 2 engines on virustotal: &nbsp;<A href="https://www.virustotal.com/en/file/59ceffed73c5bb616d78416096c207d4334c91d5c718e82c355766ca9af8aa87/analysis/" target="_blank">https://www.virustotal.com/en/file/59ceffed73c5bb616d78416096c207d4334c91d5c718e82c355766ca9af8aa87/analysis/</A></SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;"></SPAN>Sha256: 59ceffed73c5bb616d78416096c207d4334c91d5c718e82c355766ca9af8aa87</P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;">&nbsp;I have used Dig on multiple public IP addresses that show as the source and they all come back as having a PTR to hosts in the 1e100.net domain. &nbsp;That shows up as belonging to Google, and is claimed to be used to identify servers on their network.</SPAN></P> <P><SPAN style="text-decoration: underline; font-size: 14pt;"><STRONG><FONT face="Calibri, sans-serif">Is this retrospective malware detection a false positive, or were&nbsp;a large number of hosts downloading malware over the last week?</FONT></STRONG></SPAN></P> <P><SPAN style="font-size: 10pt;">Thank You, Alan</SPAN></P> Sun, 10 Mar 2019 13:31:36 GMT https://community.cisco.com/t5/network-security/retrospective-malware-swf-exploit-kit-tht-talos/m-p/2800485#M44343 awaggoner 2019-03-10T13:31:36Z https://community.cisco.com/t5/network-security/retrospective-malware-swf-exploit-kit-tht-talos/m-p/2800486#M44344 <P>False alarm. &nbsp;All addresses are showing clean now.</P> <P></P> <P>&lt;*- Network Based Retrospective at Thu Dec 17 15:08:20 2015 UTC -*&gt;&nbsp;</P> <P>Sha256: 59ceffed73c5bb616d78416096c207d4334c91d5c718e82c355766ca9af8aa87</P> <P>Disposition: Clean</P> <P>Threat name: N/A</P> Thu, 17 Dec 2015 15:11:06 GMT https://community.cisco.com/t5/network-security/retrospective-malware-swf-exploit-kit-tht-talos/m-p/2800486#M44344 awaggoner 2015-12-17T15:11:06Z