Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1337
Views
0
Helpful
1
Replies

Retrospective Malware: SWF.Exploit.Kit.tht.Talos

awaggoner
Level 1
Level 1

‎12-17-2015 06:30 AM - edited ‎03-10-2019 06:31 AM

This morning I received a relatively large number of detections for SWF.Exploit.Kit.tht.Talos .  They show as coming from multiple IP addresses within the last several days, with the first one on 12/9.  

The file name is listed as adsapi.swf

The Hash shows up as malware on 2 engines on virustotal:  https://www.virustotal.com/en/file/59ceffed73c5bb616d78416096c207d4334c91d5c718e82c355766ca9af8aa87/analysis/

Sha256: 59ceffed73c5bb616d78416096c207d4334c91d5c718e82c355766ca9af8aa87

 I have used Dig on multiple public IP addresses that show as the source and they all come back as having a PTR to hosts in the 1e100.net domain.  That shows up as belonging to Google, and is claimed to be used to identify servers on their network.

Is this retrospective malware detection a false positive, or were a large number of hosts downloading malware over the last week?

Thank You, Alan

Labels:
0 Helpful
1 Reply 1

awaggoner
Level 1
Level 1

‎12-17-2015 07:11 AM

False alarm.  All addresses are showing clean now.

<*- Network Based Retrospective at Thu Dec 17 15:08:20 2015 UTC -*> 

Sha256: 59ceffed73c5bb616d78416096c207d4334c91d5c718e82c355766ca9af8aa87

Disposition: Clean

Threat name: N/A

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card