Views:

Identify the Callback Address, C&C List Source, and Process.

  1. Go to the System Tray and double-click the OfficeScan Agent icon.
  2. Click the Logs icon.

    logs

  3. For the Type, select C&C Callback.

    c&c callback

Whereas:
Callback Address – The C&C server detected
C&C List Source – The name of the list that contains the Callback Address
Process – The process which attempted to communicate with the Callback Address

After identifying the C&C callback details, consider the following scenarios:

  • Scenario 1: C&C List Source is Global C&C List

    Global C&C IP List is a pattern containing known C&C servers. The host is most likely infected.

    1. Ensure that the connection is being blocked. Refer to KB 1106069 on how to block/log C&C IP connection in OfficeScan.
    2. End the associated process using Task Manager. If the process spawns again, it most likely has a persistence - scheduled task, registry, WMI, etc. When this happens, suspend the process.

      Suspending the process is like pausing it. It is still present in the memory and can be resumed at a later time. This prevents the process from running, but at the same time, prevents its persistence from spawning the same process.

       
      If the associated process is a non-malicious Windows Executable file like cmd.exe, powershell.exe, rundll32.exe, regsvr32.exe, DO NOT suspend it as it may cause the system to crash. Proceed directly to Step 3.
       

      Suspending a process using Resource Monitor:

      1. Press the Windows Key + R.
      2. Type "resmon" and press Enter.
      3. Go to the CPU tab and find the associated process.
      4. Right-click it and select Suspend.

        resource monitor

      Suspending a process using Process Explorer:

      1. Download Process Explorer.
      2. Run procexp.exe / procexp64.exe and find the associated process.
      3. Right-click the process and select Suspend.

        process explorer

    3. Collect suspicious files and system information using ATTK . Submit the result to Trend Micro Technical Support for analysis.
  • Scenario 2: C&C List Source is Relevance Rule

    Relevance Rule is a pattern containing the “network fingerprints” of highly prevalent malware. The host is possibly infected.
    Export the following logs and submit them to Trend Micro Technical Support for analysis:

    C&C Callback Logs
    Suspicious Connection Logs

    Refer to KB 1057359 for generating and exporting logs in OfficeScan.

  • Scenario 3: C&C List Source is Virtual Analyzer C&C List

    A process attempted to communicate with a URL/Domain/IP in Virtual Analyzer C&C List. The Virtual Analyzer C&C List contains callback addresses in Control Manager’s Virtual Analyzer Suspicious Object List. For this scenario, it is critical to identify why the URL/Domain/IP became a Suspicious Object.

    1. Log in to the Control Manager web console.
    2. Go to Administration > Suspicious Object > Virtual Analyzer Objects.
    3. Locate the Callback Address using the Search field.

      Callback Address

    4. Click the drop-down button to view the details regarding the Suspicious Object. Take note of the SHA-1 hash value and file name.

      Suspicious Object

    5. Click View on the Handling Process column.
    6. Click the Analysis section. Take note of the Analyzed timestamp and the Deep Discovery product which is the source of the Suspicious Object.

      analysis

    7. Log on to the web console of the source Deep Discovery product.
    8. Go to Virtual Analyzer > Submissions > Completed tab.
    9. Narrow the Date Range using the Analyzed timestamp noted earlier.

      range

    10. Click Advanced, and filter the entries using the SHA-1 hash value noted earlier.

      advanced

    11. Click on the entry to view the details. Download the PDF analysis report and the Investigation Package.

      analysis report

    12. Submit them to Trend Micro Technical Support for analysis together with the following logs:

      C&C Callback Logs
      Suspicious Connection Logs

      Refer to KB 1057359 for generating and exporting logs in OfficeScan.

  • Scenario 4: C&C List Source is User-defined C&C List

    A process attempted to communicate with a URL/Domain/IP in User-defined C&C List. User-defined C&C List contains callback addresses that the administrator added for the purpose of blocking or logging any associated connections.
    If you suspect that the host which communicated with the User-defined C&C List is infected, run ATTK and submit the result to Trend Micro Technical Support for analysis.