1. Overview

 

On October 30, 2014, at approximately 6 AM (GMT time), Trend Micro started to receive several customer reports regarding a false detection of Command and Control (C&C) callbacks as alerted by Trend Micro Command and Control Contact Alert (CCCA) service.

 

Trend Micro’s CCCA service provides enhanced detection and alert capabilities to mitigate the damage caused by advanced persistent threats and targeted attacks. CCAC services integrate with Trend Micro’s Web Reputation Services (WRS) which determine the action taken on detected callback addresses based on the web reputation security level.

 

The C&C IP list further enhances C&C callback detections using the Network Content Inspection Engine (NCIE) to identify C&C contacts through any network channel.

 

The reports indicated that contacts to certain IP addresses, most notably 255.255.255.255, were causing the false detection hence populating the associated logs with this faulty C&C alert information. This was found to be caused by some changes made in CCCA pattern version 1.10077.

 

1. Resolution

 

The false detection issue was resolved by dropping the incorrect IP addresses in CCCA pattern version 1.10079, which was released on October 30, 2014, at approximately 6:51 AM (GMT).

 

Some additional preventive measures were added in CCCA pattern version 1.10081, which was also released on October 30, at approximately 9:42 AM (GMT).

 

Trend Micro is currently conducting a full root cause analysis (RCA) to determine how and why the incorrect IP addresses were originally added and ways to prevent similar issues from happening again in the future.