Professional Documents
Culture Documents
Security Response
Comment Crew:
Indicators of Compromise
Security Response
Page 1
Introduction
This document contains additional Comment Crew indicators of compromise that were seen in the past year.
See our accompanying blog for more information.
This document details the following types of indictors:
Network
File
System
Email
The contents of this document are indicators only and may match legitimate services or applications.
Additional verification is required to confirm an actual compromise.
Security Response
Page 2
Network indicators
Network based indications of possible compromise by the comment crew attackers.
aspnet_client/report.asp
Resource/device_Tr.asp
images/device_index.asp
news/media/info.html
backsangho.jpg
addCats.asp
SmartNav.jpg
nblogo2.jpg
Domains
Security Response
GT446.ezua.COM
aunewsonline.com
avvmail.com
cas.ibooks.tk
cas.m-e.org.ru
colville.com
cvba.com
deebeedesigns.ca
dev.teamattire.com
doversolutions.co.in
download.epac.to
drgeorges.com
dril-quip.deltae.com.br
dsds.co.kr
[REMOVED].ruok.org
engineer.lflinkup.org
exactearth.info.tm
fbrshop.com
firebirdonline.com
forceoptions.net
freelanceindy.com
ftp.xmahone.ocry.com
garyhart.com
gobroadreach.com
hint.happyforever.com
hojutsu.com
imly.org
interradiology.com
jimnaugle.com
Page 3
kayauto.net
keenathomas.com
ks.utworld.ch
mast.zyns.com
media.conci.com.au
media.finanstalk.ru
media.metdf.com.au
meeting.toh.info
mountainvalley.americanunfinished.com
mrswehrman.com
mwa.net
news.hqrls.com
odysseus.qs-va.orbcomm.net
ohb-technology.brgh.de
omegalogos.org
pastorsrest.com
portal.itsaol.com
progammerli.com
rbaparts.com
report.crabdance.com
[REMOVED].photo-frame.com
route.cisco.ns01.info
shunleewest.com
slowblog.com
smilecare.com
software.myftp.info
soko.com
tcw.homier.com
[REMOVED]comminc.us.to
[REMOVED].arnotex.com
thecrownsgolf.org
[REMOVED].alfalcons.com
twocirclesmusic.com
un.linuxd.org
update.sektori.org
us.gnpes.org
vwrm.com
woodagency.com
worldnews.kickingdruging.toythieves.com
Security Response
140.116.70.8
143.89.35.7
143.89.35.7
150.176.164.6
202.105.39.39
202.39.61.136
202.6.235.83
203.200.205.245
204.111.73.150
Page 4
Security Response
209.124.51.194
209.124.51.219
209.161.249.125
209.208.114.83
209.233.16.84
209.253.17.229
211.232.57.235
212.130.19.154
218.232.66.12
218.233.206.2
218.234.17.30
24.73.192.154
46.149.18.151
60.248.52.95
61.219.67.1
63.192.38.11
64.80.153.108
65.105.157.228
65.110.1.32
65.114.195.226
65.89.173.68
66.151.16.30
66.155.114.145
66.170.3.43
66.228.132.53
66.228.132.8
68.17.104.162
68.96.31.136
69.20.5.219
69.25.50.10
69.28.168.10
69.74.43.87
69.90.123.6
69.90.18.22
69.90.18.23
70.108.241.36
70.62.232.98
74.86.197.56
74.93.92.50
78.95.63.1
Page 5
File indicators
File based indications of possible compromise by the comment crew attackers.
%TEMP%\AdobeARM.exe
%TEMP%\iTunesHelper.exe
%PROGRAMS%\Startup\AdobeRe.exe
rouj.exe
%USERPROFILE%\Local Settings\iexplore.exe
%USERAPPDATA%\Microsoft\wuauclt.exe
%PROGRAMS%\Startup\adobeup.exe
%TEMP%\AdobeUpdater.exe
NTLMSVC.DLL
%PROGRAMS%\Startup\adobe_sl.lnk
%TEMP%\runinfo.exe
Security Response
Page 6
Security Response
Page 7
Security Response
Page 8
Security Response
Page 9
Security Response
Page 10
Security Response
Page 11
Security Response
Page 12
Security Response
Page 13
System indicators
System based indications of possible compromise by the comment crew attackers.
Registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Acroread"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Adobe Update"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"AdobeCheck"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"AdobeCom"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"IMSCMig"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"McUpdate"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Register"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"SysTray"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"systemupdate"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"wininstaller"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"APVSVC"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"AdobeUpdate"
Service names:
Security Response
aec
elpmasym
Net CLR
Page 14
Email indicators
Email based indications of possible compromise by the comment crew attackers.
Subject lines
Security Response
update.exe
CTF 2011 (MF).xls
BBC Monitoring reports..xls
Page 15
Security Response
Page 16
References
Mandiant Indicators of Compromise
http://intelreport.mandiant.com/Mandiant_APT1_Report_Appendix.zip
Security Response
Page 17
About Symantec
Symantec protects the worlds information and is the global leader in
security, backup, and availability solutions. Our innovative products
and services protect people and information in any environmentfrom
the smallest mobile device to the enterprise data center to cloud-based
systems. Our industry-leading expertise in protecting data, identities,
and interactions gives our customers confidence in a connected world.
More information is available at www.symantec.com or by connecting
with Symantec at go.symantec.com/socialmedia
Headquartered in Mountain View, Calif., Symantec has operations in 40
countries. More information is available at www.symantec.com
For specific country offices and contact numbers, please visit our
website.
Symantec World Headquarters
Security Response
Page 18