Rule: 

--
Sid: 
16836

-- 
Summary: 
This event is generated when a system connects to a known-malicious domain.

-- 
Impact: 
The system connecting to the domain is likely infected with malware, or may have been exposed to malicious code.

--
Detailed Information:
The Sourcefire VRT maintains a set of domain names automatically visited by malware-infected machines with no human interaction; all traffic from the machines is known to be generated by malware. After applying an extensive whitelist, the VRT pulls out the most commonly visited domains and adds them to its blacklist.rules category. The supplied reference lists the md5sum of the piece of malware used to infect the machine that generated the traffic in question.

--
Affected Systems:
All Windows versions

--
Attack Scenarios: 
This alert is likely generated by malware communicating with the Internet in the background on an infected machine.

-- 
Ease of Attack: 
Easy; the machine is likely already infected.

-- 
False Positives:
Occasionally the VRT's whitelisting process misses legitimate servers, particularly ad servers. If you feel that the domain here is legitimate, please notify us at fp@sourcefire.com so we can investigate.

--
False Negatives:
None Known

-- 
Corrective Action: 
Scan the machine in question for malicious software. The VRT recommends ClamAV for Windows 3.0.

--
Contributors:
Sourcefire Vulnerability Research Team

-- 
Additional References:

http://labs.snort.org/docs/16836.html

--
