Zeus P2P

considerscs
considerscs used Ask the Experts™
on
We have recently taken over an organization as their outside IT.  We are in the process of cleaning their entire IT world up.

We have a Zeus P2P in the network on a computer.  We are trying to locate this remotely.  We have a sonicwall that is already set to block P2P programs, but it is not catching the Zeus P2P.  The way we know we have it is our ISP is sending us logs where they are catching it on the outside IP.

We have installed Symantec Endpoint Protection on all computers and even it has not found it yet.  Though it did find many many other viruses.

Does anyone know of a way that I can sniff this out remotely?  We are 3 hours from this company and would like to atleast pinpoint the computer that is infected and if we have to we will go on site and pick this machine up.

Thanks for the help.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Aaron TomoskyDirector of Solutions Consulting
Commented:
Do you have viewpoint on the sonicwall?
Aaron TomoskyDirector of Solutions Consulting
Commented:
btanExec Consultant
Distinguished Expert 2018
Commented:
Quick take - with the new zeus v3 p2p, there's no obvious communications with the C&C server at all. On top of that, the bots' communication to exchange configuration information is in UDP packets rather than TCP. This makes it more difficult to track communications because of the lack of handshaking and transactional state information in the former type of packets. And each bot is a web server unto itself, allowing other bots to make encrypted HTTP requests over TCP for command and control information on a pseudorandom port set by the configuration.

See this from symantec, it should already has a signature for it though
http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25879

E.g. More UDP and less TCP, using nGinx, an open source, minimal Web server, sends POST requests to a peer, using a random TCP port

http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet

Watch out for the comms using high TCP and UDP ports. The infected computer or node will do a version query and received a version of the config file and TCP port for data tx. Thereafter, make node query and potentially 10 nodes represented using (node-ID (SHA1 based), Node-IP and Node-UDP-Port) is returned from the P2P n/w.

See more recog pattern in this link (http://www.cert.pl/news/4711/langswitch_lang/en)

Following are also possible strings in your web proxy logs, which are being used as dropzone for this ZeuS version (using HTTP POST):

/gameover.php
/gameover2.php
/gameover3.php

See in this link (http://www.abuse.ch/?p=3499)
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

btanExec Consultant
Distinguished Expert 2018
Commented:
other is trying to detect this as well

Excerpt

...I left wireshark on overnight and this morning a particular machine in the local network has started communicating to hundreds of unique IP addresses on UDP 16464!

http://www.experts-exchange.com/Software/Office_Productivity/Groupware/Outlook/Q_27813329.html

Author

Commented:
my logs are catching the Zeus P2P working on the Sonicwall but it is showing as the outside IP.

I need to be able to pinpoint that traffic on those ports to the inside IP.  Im more of a Cisco guy so Sonicwalls are new to me.

@aarontomosky - I do have Viewpoint.   I currently have the logs emailing to me when full.
Aaron TomoskyDirector of Solutions Consulting
Commented:
Viewpoint has a web console you can run reports and see what internal ip is doing that external traffic. It's really the only way to view that kind of traffic unless you setup negflow (sonicwall has it but its an extra license like viewpoint). If you have netflow you can use prtg or solarwinds or nagios, etc... To view that stuff. But the viewpoint reports should be adequate for your needs.
btanExec Consultant
Distinguished Expert 2018
Commented:
I was also thinking of scrutinzer

http://www.sonicguard.com/SonicWALL-Scrutinizer.asp
Aaron TomoskyDirector of Solutions Consulting
Commented:
Viewpoint became analyzer when dell bought them. I think scrutinizer is a more powerful version of that if I remember right. There are also some built in dashboards with real time data if you are licensed that can do the same traffic breaksdowns

Author

Commented:
I am licensed for Viewpoint.  Im looking at trying to get a free syslog app to send the logs to.  The logs emailed are of no help as they do not show the inside ip that is sending the UDP port traffic to the outside IP.
Director of Solutions Consulting
Commented:
If you are licensed for viewpoint, you have to download it. I use the virtual appliance as it's ready to go.

There are settings in the sonicwall that let you choose what events get sent to different logs, including the syslog. Not all the boxes are checked by default...

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial