On 06/07/2016 09:56, Daniel Karrenberg wrote:

It is indeed a FP.

There was a collision between variant of Tinba DGA and legit domain - thinksquare.net.

As you can see it the below link, a lot of malwares samples communicated with thinksquare.net on the exact same day.

https://www.virustotal.com/en/domain/thinksquare.net/information/

-Hank

I am positive tinba cannot run on the probes.

So either that IDS is brain damaged or some joker made a UDM that acts
like tinba or both. What Marc said: the 'CnC' appears to be at the root
name servers. Queue conspiracy theory .....

Daniel

On 5.07.16 14:15 , Hank Nussbacher wrote:

I received a report from one of our security monitoring systems about
one of our probes (#17846) - https://atlas.ripe.net/probes/17846/ which
appears to be infected with Tinba:

Security incident #1 - Tinba infection

        Involved internal Hosts:

                atlas-probe.cc.biu.ac.il 132.70.248.150 spotted since

2016-06-30

23:58:54 till 2016-07-01 05:01:20

        Malicious activities found:

                Tinba infection

                        related indication of compromise:

                                 Communication with CnC

                                         192.112.36.4

                                         192.203.230.10

                                         192.228.79.201

                                         192.33.4.12

                                         192.36.148.17

                                         193.0.14.129

                                         198.41.0.4

                                         198.97.190.53

                                         199.7.83.42

                                         199.7.91.13

                                         202.12.27.33


Should we be worried?


Thanks,

Hank