Ticket #142 (closed test: fixed)

Opened 6 months ago

Last modified 6 months ago

Likely false-positive files from visiting HTTPS URLs

Reported by: knwang Assigned to: knwang
Priority: normal Milestone:
Component: Excluded Registry/File/Process Version: none
Severity: none Keywords: file,exclude,https,IE,false-positive
Cc:

Description

When the honeyclient visits certain HTTPS URLs, there are specific files that are written to C:\WINDOWS directory. These files are of the format: 

Cab1.tmp, Cab2.tmp, ... Cabx.tmp
Tar1.tmp, Tar2,tmp, ... Tarx.tmp

Our logs indicate that the Cab.tmp and Tar.tmp files are deleted almost immediately after they are written to C:\WINDOWS directory.

Without conducting further detailed analysis on these files, it is unclear as to their exact functionality. However, a 'strings' output of a Tar2.tmp file contains these lines: 

"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority0
050204005034Z
120215080000Z0
Washington1
Redmond1
Microsoft Corporation1-0+
$Microsoft Certificate Trust List PCA0
b?xl
q@3r
r0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority
Washington1
Redmond1
Microsoft Corporation1-0+
$Microsoft Certificate Trust List PCA0
051213221338Z
071113222338Z0
Washington1
Redmond1
Microsoft Corporation1301
*Microsoft Certificate Trust List Publisher0
H5d-
N$Y>
0%,K
r0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority
:http://www.microsoft.com/pki/crl/products/TrustListPCA.crl0@
:http://crl.microsoft.com/pki/crl/products/TrustListPCA.crl0O
C0A0?
3http://www.microsoft.com/pki/certs/TrustListPCA.crt0
Washington1
Redmond1
Microsoft Corporation1-0+
$Microsoft Certificate Trust List PCA
fsI:D)g
`http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/rootcertprog.asp 0
fj.j
)zC}}
j!\d
0g0S1
VeriSign, Inc.1+0)
"VeriSign Time Stamping Services CA

The above output appears to be related to Microsoft certificates, which would make sense considering that the URL associated with this behavior is an HTTPS link:

https://money.yandex.ru/index.xml (we cannot guarantee the safety of this site, should you choose to visit)

Associated VMWare ID: 67561edec9a46ab2554a4920f6

For now, we will continue to monitor for cases of other URLs that exhibit similar behaviors. If you know for sure that this is a false positive, we would appreciate hearing from you.

Attachments

Change History

03/05/08 18:56:12 changed by kindlund

  • status changed from new to closed.
  • resolution set to fixed.

Fixed in r1330.

Add/Change #142 (Likely false-positive files from visiting HTTPS URLs)




Change Properties
Action