Solved

Zeus P2P

Posted on 2013-02-05
10
3,176 Views
Last Modified: 2013-11-22
We have recently taken over an organization as their outside IT.  We are in the process of cleaning their entire IT world up.

We have a Zeus P2P in the network on a computer.  We are trying to locate this remotely.  We have a sonicwall that is already set to block P2P programs, but it is not catching the Zeus P2P.  The way we know we have it is our ISP is sending us logs where they are catching it on the outside IP.

We have installed Symantec Endpoint Protection on all computers and even it has not found it yet.  Though it did find many many other viruses.

Does anyone know of a way that I can sniff this out remotely?  We are 3 hours from this company and would like to atleast pinpoint the computer that is infected and if we have to we will go on site and pick this machine up.

Thanks for the help.
0
Comment
Question by:considerscs
  • 5
  • 3
  • 2
10 Comments
 
LVL 38

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 313 total points
Comment Utility
Do you have viewpoint on the sonicwall?
0
 
LVL 38

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 313 total points
Comment Utility
0
 
LVL 61

Assisted Solution

by:btan
btan earned 187 total points
Comment Utility
Quick take - with the new zeus v3 p2p, there's no obvious communications with the C&C server at all. On top of that, the bots' communication to exchange configuration information is in UDP packets rather than TCP. This makes it more difficult to track communications because of the lack of handshaking and transactional state information in the former type of packets. And each bot is a web server unto itself, allowing other bots to make encrypted HTTP requests over TCP for command and control information on a pseudorandom port set by the configuration.

See this from symantec, it should already has a signature for it though
http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25879

E.g. More UDP and less TCP, using nGinx, an open source, minimal Web server, sends POST requests to a peer, using a random TCP port

http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet

Watch out for the comms using high TCP and UDP ports. The infected computer or node will do a version query and received a version of the config file and TCP port for data tx. Thereafter, make node query and potentially 10 nodes represented using (node-ID (SHA1 based), Node-IP and Node-UDP-Port) is returned from the P2P n/w.

See more recog pattern in this link (http://www.cert.pl/news/4711/langswitch_lang/en)

Following are also possible strings in your web proxy logs, which are being used as dropzone for this ZeuS version (using HTTP POST):

/gameover.php
/gameover2.php
/gameover3.php

See in this link (http://www.abuse.ch/?p=3499)
0
 
LVL 61

Assisted Solution

by:btan
btan earned 187 total points
Comment Utility
other is trying to detect this as well

Excerpt

...I left wireshark on overnight and this morning a particular machine in the local network has started communicating to hundreds of unique IP addresses on UDP 16464!

http://www.experts-exchange.com/Software/Office_Productivity/Groupware/Outlook/Q_27813329.html
0
 
LVL 1

Author Comment

by:considerscs
Comment Utility
my logs are catching the Zeus P2P working on the Sonicwall but it is showing as the outside IP.

I need to be able to pinpoint that traffic on those ports to the inside IP.  Im more of a Cisco guy so Sonicwalls are new to me.

@aarontomosky - I do have Viewpoint.   I currently have the logs emailing to me when full.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 38

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 313 total points
Comment Utility
Viewpoint has a web console you can run reports and see what internal ip is doing that external traffic. It's really the only way to view that kind of traffic unless you setup negflow (sonicwall has it but its an extra license like viewpoint). If you have netflow you can use prtg or solarwinds or nagios, etc... To view that stuff. But the viewpoint reports should be adequate for your needs.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 187 total points
Comment Utility
I was also thinking of scrutinzer

http://www.sonicguard.com/SonicWALL-Scrutinizer.asp
0
 
LVL 38

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 313 total points
Comment Utility
Viewpoint became analyzer when dell bought them. I think scrutinizer is a more powerful version of that if I remember right. There are also some built in dashboards with real time data if you are licensed that can do the same traffic breaksdowns
0
 
LVL 1

Author Comment

by:considerscs
Comment Utility
I am licensed for Viewpoint.  Im looking at trying to get a free syslog app to send the logs to.  The logs emailed are of no help as they do not show the inside ip that is sending the UDP port traffic to the outside IP.
0
 
LVL 38

Accepted Solution

by:
Aaron Tomosky earned 313 total points
Comment Utility
If you are licensed for viewpoint, you have to download it. I use the virtual appliance as it's ready to go.

There are settings in the sonicwall that let you choose what events get sent to different logs, including the syslog. Not all the boxes are checked by default...
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now