[Emerging-Sigs] JA3 flags official Firefox distribution sites as malware

Michał Purzyński michalpurzynski1 at gmail.com
Mon Oct 28 12:19:34 HDT 2019


Anyone having any luck with those new signatures? I believe they are flawed
by design. JA3, having tons of collisions, has never been intended for a
detection, especially used in a signature "if A then ALARM".

On top of that, you're flagging official Firefox distribution sites as
malware. I think I know what's going on, as it used to be the case in the
past

1. someone, somewhere, takes the official installer and backdoors it. This
invalidates the binary's signature, but user's don't care ;)
2. the backdoored version downloads the Firefox from us and a malware from
somewhere else
3. the sandbox that's responsible for generating signatures, just flags
every kind of traffic egreesing from the system as "malware related"
4. boom, we're on the list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191028/7774ca71/attachment.html>


More information about the Emerging-sigs mailing list