| IP Address | Port | Hostname | |
|---|---|---|---|
| Source | (local) | 62200 | |
| Destination | 216.139.221.14 (United States) | html (80) | wspanalytics.com |
| url | http://wspanalytics.com/boost-for-excel/wp-content/release/boost/boost-installer.exe |
| Host | wspanalytics.com |
| Accept | text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 |
| Connection | keep-alive |
| User-Agent | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 |
| Accept-Encoding | gzip, deflate, sdch |
| Accept-Language | en-US,en;q=0.8 |
| req_or_response | GET /boost-for-excel/wp-content/release/boost/boost-installer.exe HTTP/1.1 |
| Upgrade-Insecure-Requests | 1 |
Description:
- A request to download a .exe file has occurred to a wordpress site.
- Wordpress sites are frequently targeted by malware creators for distribution purposes. Why?:
- These websites often have the virtue of being tied to known good (not blacklisted) infrastructure.
- They are easy to set up insecurely and often subject to abandonment (user sets up their server and doesn't patch).
- Throw away non-attributable infrastructure for hosting malware binaries.
False Positive:
- YES
- wspanalytics is a known good WordPress site.
- They are legitimately distributing cleartext .exes via their site.
- wprecon.com finds no security violations.
Action:
- None
Comments