C2/Generic-A Originating from AFCd?

Hi everyone, looks like I have a similar situation to a few people.

NO Windows machines on the network, just OSX and Linux (QNAP).   Woke up to over 1400 emails regarding ATP C2/Generic-A.   But the originiating seems to be from AFCd?  Any idea what this is?

Googling has given me no ideas.    Any ideas anyone?

  • In reply to DominicSchmidl:

    Hi,

    at least I can repeat the alert when dig @wan dns pqyoebe38318.app.anmorencai.com

    Kind regards,
    Roland

  • In reply to rschmid:

     Hey Folks,

    We did some further investigation on that issue and it turned out that it was not related to an ATP pattern update. The cause for the issue happening is due to a botnet, that started to send UDP DNS pakets through malicious domains. Those DNS requests were detected by the ATP rather than being blocked by the packet filter. After the botnet stopped sending DNS requests which stopped ATP reporting the alerts.

     We are working to improve the paket handling that those kind of traffic will be detected before it reaches the ATP engine.

    Best regards,

    Dominic Schmidl

  • In reply to DominicSchmidl:

    This makes more sense :)  

    Thanks Dominic!

  • In reply to DominicSchmidl:

    Hello Dominic

    We are receiving this alert related to C2/Generic-A from the random domain "app.anmorencai.com" also in Tunisia.

    we are facing some issues as explained by firnds here previously.

    Attached a print screen Showing events since: April 30, 2016 15:54.

    You said that the topic is related an update and you are working on to resolve it, please note that our Firmware and UTM version are as shown below :

    Firmware version: 9.355-1
    Pattern version: 100306

    The question is what is the best to do to not receive anymore these alerts ?


    1- Wait for your update, wich we believe if we still receiving the alerts is not ready, otherwise would you explain how to implement it. You said a botnet error that need update, where is this update please and how to make it working ? since we have the last update why is not working yet ? stil under preparation by Saphos Team or did we miss something  ?


    2- We can Inform our National Cert Team in Tunisia to block this domain and we can give them an official frequest to do so with the atached explicative links and print screen and the DNS Whois of the IP addresses :

     https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx

    https://who.is/whois-ip/ip-address/180.97.161.226/

    https://who.is/whois-ip/ip-address/218.60.112.226/

    But did you recommand  2 ??

    3- Solution 3 is configure manualy  the UTM to not receive this alert anymore (someone said by blocking the host or the IP range)  for us is better to do a global working one, we can investigate this way too, but we don't prefer it.


     Since there is no answer on the topic since while we are asking where is the progress and how we should react on it, so your asap input is very higly needed and appreciated.


    Friendly regards to All the Folks.



  • In reply to DominicSchmidl:

    Dominic, 

    It looks like to me that its a DDoS technique that I remember starting back maybe around 2014.  A request is made to an open recursive DNS server with a random subdomain. Causing the DNS server to do a look up because the FQDN would not be in cache. One would do this for different reasons. I'm guessing here that the source was spoof to the external ip of the UTM.

    I'm not only seeing this in the UTM's ATP logs but in the logs of the external DNS servers at an ISP.  It is annoying that this is still generating logs in ATP. I just wish there was a better description provided to the end users. 

    Tony

  • Came up to  AFCd myself  during a Threat found by Sophos FW , that lead me here while i was searching for the same answer .

    After bit search i've found nothing more except  AFCD is an approximated-fair and controlled-delay process 

    If anyone can verify this , plz do

  • In reply to VasilisTsialtas:

    Hi, Vasilis, and welcome to the UTM Community!

    The link in your post doesn't work.  Instead of just adding the URL in the 'Link URL' field, you have to start by erasing the invalid content put there by this editor.

    In the context of Sophos, AFCd is the "Automatic Flow Control daemon."

    Cheers - Bob

  • We got some of these today when a Mac user visited a Free Fonts Download site. He went back a 2nd time to show me what he'd done, hence the 2nd round of logged events 18 minutes after the first. That 2nd visit also delivered an JS CoinMiner file as a bonus. The events were also reported against our DNS server. These do not look much like false positives.

  • In reply to MichaelMuenz:

    We've encountered the same from ATP. What I've noticed is that the computers that was subsequently flagged, almost all users were browsing with IE.

  • In reply to eoliphedus:

    Halloj,

    Those don't look like false positives.  What do you find when you do an exhaustive malware scan on one of the computers?

    Cheers - Bob