The more attendees who arrive for the Black Hat briefings, the busier the NOC team gets trying to keep the wireless network up and running for classes. Today I had a chance to check out the Gigamon HTTP status codes exports. Some evildoers like to hide malicious activities using by error codes.

Investigating HTTP Status Codes

When accessing a web server or application, every HTTP request that is received by a server is responded to with an HTTP status code. These codes are three-digit codes and you can easily identify them by the first digit:

  • 1xx: Informational
  • 2xx: Success
  • 3xx: Redirection
  • 4xx: Client Error
  • 5xx: Server Error

As I was playing with the solution on my lunch break, I ran the Gigamon Return Codes report to gather the HTTP status codes statistics.

Scrutinizer Return Codes Report

Typically, the HTTP status code 404 indicates that the requested resource was not found, but I decided to investigate further. A few days ago, I was reading the Black Hat 2015 whitepaper on steganography, which is the art of hiding in plain sight. The malware covert communication channels have been rapidly evolving in order to avoid network-based detection. With that in mind, hiding commands in HTTP error pages is to be expected from the Black Hat audience.

I filtered on the 404 element and changed the report type to the Gigamon URL and Return codes. Among the results, I noticed s7.addthis.com:

Scrutinizer URL and Return Codes

Next, I launched the Pair Host to Host report to find out who was patient zero and passed that information to the NOC team.

Scrutinizer Pair Host to Host

What is s7.addthis.com?

The annoying s7.addthis.com is a potentially unwanted program. This is putting it mildly, as it can drastically degrade the entire system performance and slow down browser running speed. It can also modify your browser settings and change the default homepage and search engine. If that weren’t bad enough, s7.addthis.com can be used to hack your account and collect your personal information for illegal purposes. The main motive of s7.addthis.com is to increase the web traffic for its partner websites. It will push annoying ads while the anti-virus tool will detect no threats on your system. It might be a good time to review your browsing habits, since s7.addthis.com gets installed on your computer right after downloading free software from unsafe sources, visiting compromised websites, or opening spam email attachments. To avoid further damage, this browser hijacker needs to be destroyed as soon as possible.

More Updates Coming Tomorrow

If you would like some help with creating reports, such as the Gigamon HTTP Status Codes report, please reach out to our helpful support team. Also, don’t forget to come back for more Black Hat USA 2017 news tomorrow.

anna author pic 2019

Anna McElhany

Anna is a Quality Assurance Analyst at Plixer. She is dedicated to creating customer-facing documentation and identifying any potential problems that users might encounter. Anna holds a degree in Computer Technology, the AWS Certified SysOps Administrator - Associate, CCNA R&S, CCNA Security, and CompTIA Network + and Security + certifications, as well as NSTISSI Security INFOSEC Professional recognition. In her free time, Anna enjoys spending time with friends and family, flying drones, and hiking.

Related

Leave a Reply