Solved

SonicWall - Gateway Antivirus Alert:  Phish_PayPal (Trojan) blocked

Posted on 2010-11-28
7
3,286 Views
Last Modified: 2012-05-10
I have a SonicWall installed on a small business network.  Today, I received the following alerts multiple times:

11/28/2010 16:22:19.944
Alert Security Services
Gateway Anti-Virus Alert: Phish_Paypal (Trojan) blocked
Source:  24.143.205.187, 80, X1           Destination:  192.168.1.114, 1109, X0  

or

11/28/2010 16:22:20.096
Alert Security Services
Gateway Anti-Virus Alert: Phish_Paypal (Trojan) blocked
Source:  192.168.1.114, 1107, X0                 Destination:  24.143.205.187, 80, X1    

 
I got multiple attempts from multiple IP addresses.  More than 20+ attempts in a short period.  I even got a TCP XMas Tree dropped Intrusion Prevention alert.

Most of these alerts came from the following IP addresses:

24.143.205.25
24.143.205.187
184.85.253.57
184.85.253.56
184.85.253.40
184.85.253.41
184.85.253.48
184.85.253.49
184.85.253.10
209.18.43.179
209.18.43.171
209.18.43.56
209.18.43.25
209.18.43.26
209.18.43.65

They were quite agressive but the SonicWall said that they were blocked.  Is there anything I should be worried about?  My log filled up quick and I got a ton of email notifications.

I did antivirus and spyware scans on the PCs but they came up negative.  All this occurred when I was upgrading the Norton Antivirus on some computers and upgrading some Dell support software.  Also, when I tried to update the Norton Internet Security 2011 with the LiveUpdate, one of the many patches failed to install.  It was a patch for anti-phising.

Any advice would be appreciated.  Thanks in advance.
0
Comment
Question by:EE_User12
  • 4
  • 3
7 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 34227203
you need to look more closely at 192.168.1.114.  appears the traffic was trying to come into that internal ip and going out from that ip.  if the alerts were of type ingress, then i'd say not to be concerned.  the sonicwall did its job and blocked the attacks.  however, the alerts indicating an internal host would make me concerned.

is 192.168.1.114 the ip of x0 on the sonicwall?
0
 

Author Comment

by:EE_User12
ID: 34227820
It is the address of one of the computers on the network.  I believe x0 is the LAN interface where I have a switch connected to the SonicWall and X1 is the WAN interface.  I'm actually using a different more unique address than the 192.168.1.x scheme.  I'm just using this as an example.  All the other addresses are valid though.  The attack is also not specific to one computer.  I may have 2 or 3 other computers giving out the same message but they are all functioning fine.  Most of the troubled computers were the ones I upgraded.  I'm not sure if their installation files were corrupted.  

The attack seems to come in pairs.  Like a remote user trying to call or install something and then the internal computer tries to do something.  The SonicWall says block but the attacks this afternoon were very persistent.  I have scanned the internal computers thoroughly with basic antivirus (Norton) and antispyware (Spybot S&D)  tools but have not found anything.  I'm not sure if I have to Combofix this.  Also this attack only occurs when connected to the Internet.  When I disconnect the WAN from the Internet, everything goes quiet.

I'm not sure if something is hiding internally or if someone is trying to break in.  I do once in a while get scans hitting on my SonicWall from the outside but I just ignore them.

I removed all the Dell software and may replace or reinstall the Norton software since the antiphising patch will not install.  Everything has been stable and fine for months until today.
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 150 total points
ID: 34227886
yes...on the sonicwall, X0 is typically the LAN zone and X1 is the WAN zone.  reviewing the public IP addresses, i see several of those public IP addresses appear as AKAMAITECHNOLOGIES.COM in a reverse DNS.  the last 209.18.43.x don't resolve to anything, but most of the 184.85.253.x resolve the domain i specified above.  to quote,

"Akamai provides many IT services like application hosting, content delivery, and streaming media services, but they are probably best known for their massive distributed computer infrastructure. In lay terms, they have upwards of 15,000+ servers positioned around the globe providing content (software downloads, etc) and media (like QuickTime, RealAudio, or Windows Media
files) for their customers (the likes of Apple, GM, MTV, Department of Defense, IBM, Microsoft, Monster.com, Yahoo!, Adobe...)."

Ref: http://bit.ly/elOJAJ

At most, i'd perform a malwarebytes, but it seems you got it.  combofix seems a little aggressive, and i've stopped using spybot quite some time ago.

based on what you're seeing, what you've found in your scans and that the sonicwall is blocking things, i think you don't have anything to worry about.  seems the sonicwall may be interpreting the updates.  you may try to exclude the Phish_Paypal "filter" and try an update on one of the boxes where updates are failing.  if it succeeds, then you've got your answer.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:EE_User12
ID: 34232611
I am beginning to think this may be a false positive.  I am able to replicate the SonicWall Phish_PayPal alerts every time I run the LiveUpdate in Norton.  It appears all my PCs with Norton have been affected.  For some reason, they cannot install an antiphising patch.

Error message:

Norton 2011 Web Protection Definitions Updates Antiphising to verify authentic websites failed to install.

All scans with Malwarebytes and SpyBotSD come up negative.  After removing the Norton, things went quiet.  Even after a fresh install of Norton, the patch still fails to install.  I have one test computer running Avast and it has no problems.  I'm assuming this is an issue between the Norton LiveUpdate and the SonicWall.  I had no problems with Norton until they recently released NIS 2011.  I have another group of computers that I take care of that are not protected by a SonicWall but their updates have been able to install successfully on Norton 2011.
0
 
LVL 33

Accepted Solution

by:
digitap earned 150 total points
ID: 34232668
yes, I agree with you.  i believe it to be a sonicwall issue.  their signatures for Phish_PayPal are generating this and probably need to be updated...perhaps that has already happened.  you might check when the last time your sonicwall definitions were updated or even the firmware you are currently running on.  you could probably disable the filter for this item safely until a fix has be released by sonicwall...possibly even with Norton in the way they distributed updates.
0
 

Author Closing Comment

by:EE_User12
ID: 34273684
Digitap, thanks again for your help.

If any readers have a similar problem, look for automated processes.  When digitap mentioned Akamai that rang a bell in my head.  Most of these automated processes go through this service.  In my situation, the SonicWall was creating a false positive when the NIS 2011 was looking for updates.  For some reason the anti-phising update failed to install.  It might be related to the SpybotS&D or a bad upgrade on the NIS 2011.  I had varying results with my fix.  Some computers eventually were able to install the anti-phising update after I did an uninstall of NIS 2011, updated the SpybotS&D, followed with a SpybotS&D immunization, and then reinstalled the NIS 2011.  It might or might not be related to the immunize process of the SpybotS&D not allowing the anti-phising update to be installed.  Disabling any running programs during install made no difference.  If the update continues to fail, either disable the LiveUpdate (and do it manually) or change to another antivirus/firewall program like Avast.  I have some computers on Avast and they're doing great but I think Avast has a weak antispam feature especially for mail.  I also recommend that you update your signatures and firmware for the SonicWall like digitap mentioned.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34273860
thanks for the points and the detailed information.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now