The more attendees who arrive for the Black Hat briefings, the busier the NOC team gets trying to keep the wireless network up and running for classes. Today I had a chance to check out the Gigamon HTTP status codes exports. Some evildoers like to hide malicious activities using by error codes.
When accessing a web server or application, every HTTP request that is received by a server is responded to with an HTTP status code. These codes are three-digit codes and you can easily identify them by the first digit:
- 1xx: Informational
- 2xx: Success
- 3xx: Redirection
- 4xx: Client Error
- 5xx: Server Error
As I was playing with the solution on my lunch break, I ran the Gigamon Return Codes report to gather the HTTP status codes statistics.
Typically, the HTTP status code 404 indicates that the requested resource was not found, but I decided to investigate further. A few days ago, I was reading the Black Hat 2015 whitepaper on steganography, which is the art of hiding in plain sight. The malware covert communication channels have been rapidly evolving in order to avoid network-based detection. With that in mind, hiding commands in HTTP error pages is to be expected from the Black Hat audience.
I filtered on the 404 element and changed the report type to the Gigamon URL and Return codes. Among the results, I noticed s7.addthis.com:
Next, I launched the Pair Host to Host report to find out who was patient zero and passed that information to the NOC team.
What is s7.addthis.com?
The annoying s7.addthis.com is a potentially unwanted program. This is putting it mildly, as it can drastically degrade the entire system performance and slow down browser running speed. It can also modify your browser settings and change the default homepage and search engine. If that weren’t bad enough, s7.addthis.com can be used to hack your account and collect your personal information for illegal purposes. The main motive of s7.addthis.com is to increase the web traffic for its partner websites. It will push annoying ads while the anti-virus tool will detect no threats on your system. It might be a good time to review your browsing habits, since s7.addthis.com gets installed on your computer right after downloading free software from unsafe sources, visiting compromised websites, or opening spam email attachments. To avoid further damage, this browser hijacker needs to be destroyed as soon as possible.
More Updates Coming Tomorrow
If you would like some help with creating reports, such as the Gigamon HTTP Status Codes report, please reach out to our helpful support team. Also, don’t forget to come back for more Black Hat USA 2017 news tomorrow.