So, in that spirit, if you want to play along with your own ELSA instance and read the shadowserver.org post, you'd just keep gedit or notepad open and paste terms in every so often. The above post makes it especially easy by bolding IoC's. What you end up with is something like this list of indicators:
Edit: I had to add spaces because Websense keeps flagging this site as malicious.
159.54.62 .92
71.6.131 .8
86.122.14 .140
glogin.ddns .us
222.239.73 .36
www.audioelectronic .com
213.33.76 .135
windows.ddns .us
222.122.68 .8
194.183.224 .73
ids.ns01 .us
javaup.updates.dns05 .com
194.183.224 .73
BrightBalls .swf
nxianguo1985@163.com .fr
www.support-office-microsoft .com
71.6.131 .8
86.122.14 .140
glogin.ddns .us
222.239.73 .36
www.audioelectronic .com
213.33.76 .135
windows.ddns .us
222.122.68 .8
194.183.224 .73
ids.ns01 .us
javaup.updates.dns05 .com
194.183.224 .73
BrightBalls .swf
nxianguo1985@163.com .fr
www.support-office-microsoft .com
Now the fun part: Copy and paste that whole list into the ELSA search field and hit submit. It's as easy as that. Since this was a targeted attack, there probably wasn't a hit for your org. Don't feel too left out yet, though! There's more hunting to be done. One of the design goals for ELSA was to make it as easy as possible to take a starting point and fuzz the search to find related things. In this case, you can start looking for domains from hostnames, so you can tack on these terms:
ddns .us
audioelectronic .com
dns05 .com
163.com .fr
support-office-microsoft .com
If you're using the httpry_logger.pl script that ships with ELSA or you've got Bro DNS logs being sent to ELSA, you could get some hits there. Still no hits? Let's dig even further. If you're a member of ISC's DNSDB, you can do some passive DNS checks to see what else those malicious IP's have resolved to (or use the ELSA plugin for DNSDB). For instance, windows.ddns .us resolved to 59.120.140 .77 on May 9th for some DNSDB member. You can add that to the search list. Then, by asking what other domains 59.120.140 .77 has resolved to in the past, you get:
updatedns.ns01 .us
updates.ns02 .us
updatedns.ns02 .us
iat.updates.25u .com
ictorgil2.updates.25u .com
win.dnset .com
xiunvba .com
update.freeddns .com
proxy.ddns .info
So you can tack all of these on as well. If you still haven't gotten any hits, this wasn't all for nothing. Click the "Results..." button and set an alert to fire on future occurrences of this hit, and now you'll be alerted if ever your org was attacked using any of this infrastructure. Since these indicators are likely to become irrelevant soon, you can stick with the default end-date of a week, or extend it if you like.
By constantly dumping search terms into ELSA as you read, you can start finding some really interesting events that might have otherwise been missed. That's why I encourage those of you who have an ELSA instance (if you don't, take a half hour and install it!) to keep it handy as you progress through your daily feeds.
