Backoff malware components run HTTP POST commands for command and control data. This bundle detects the HTTP POST commands used by the Backoff malware client. It will report on the clients making the query and can alert when the events occur.
- Download and install the bundle.
- Assign the trigger Backoff Malware Command and Control Activity (part of the bundle) to a device or group of devices. For example, to assign the trigger to all devices in the 10.10.6.0/24 subnet, use the following criteria for a dynamic group: ip address = /^10.10.6./.
- Click Capture and assign the Backoff Victims capture page to the networks that have been assigned the trigger. This will create a new entry in the tree control called Backoff Victims.
- The custom capture page will show the number of occurrences of Backoff malware command and control activity in the currently set time interval. To see the clients making the query, click on the count.
To assign the alert:
- On the Capture page, add the Backoff Malware Alert to the capture.
- Navigate to the Alert History page in the left-hand navigation.
- Click Configure Alerts in upper right.
- Select the alert Backoff Malware Alert to modify it.
- Under the Notifications tab, modify the values to meet your notification needs