Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Zeus P2P

Posted on 2013-02-05
10
3,212 Views
Last Modified: 2013-11-22
We have recently taken over an organization as their outside IT.  We are in the process of cleaning their entire IT world up.

We have a Zeus P2P in the network on a computer.  We are trying to locate this remotely.  We have a sonicwall that is already set to block P2P programs, but it is not catching the Zeus P2P.  The way we know we have it is our ISP is sending us logs where they are catching it on the outside IP.

We have installed Symantec Endpoint Protection on all computers and even it has not found it yet.  Though it did find many many other viruses.

Does anyone know of a way that I can sniff this out remotely?  We are 3 hours from this company and would like to atleast pinpoint the computer that is infected and if we have to we will go on site and pick this machine up.

Thanks for the help.
0
Comment
Question by:considerscs
  • 5
  • 3
  • 2
10 Comments
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 313 total points
ID: 38858084
Do you have viewpoint on the sonicwall?
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 313 total points
ID: 38858092
0
 
LVL 63

Assisted Solution

by:btan
btan earned 187 total points
ID: 38858256
Quick take - with the new zeus v3 p2p, there's no obvious communications with the C&C server at all. On top of that, the bots' communication to exchange configuration information is in UDP packets rather than TCP. This makes it more difficult to track communications because of the lack of handshaking and transactional state information in the former type of packets. And each bot is a web server unto itself, allowing other bots to make encrypted HTTP requests over TCP for command and control information on a pseudorandom port set by the configuration.

See this from symantec, it should already has a signature for it though
http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25879

E.g. More UDP and less TCP, using nGinx, an open source, minimal Web server, sends POST requests to a peer, using a random TCP port

http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet

Watch out for the comms using high TCP and UDP ports. The infected computer or node will do a version query and received a version of the config file and TCP port for data tx. Thereafter, make node query and potentially 10 nodes represented using (node-ID (SHA1 based), Node-IP and Node-UDP-Port) is returned from the P2P n/w.

See more recog pattern in this link (http://www.cert.pl/news/4711/langswitch_lang/en)

Following are also possible strings in your web proxy logs, which are being used as dropzone for this ZeuS version (using HTTP POST):

/gameover.php
/gameover2.php
/gameover3.php

See in this link (http://www.abuse.ch/?p=3499)
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 63

Assisted Solution

by:btan
btan earned 187 total points
ID: 38858262
other is trying to detect this as well

Excerpt

...I left wireshark on overnight and this morning a particular machine in the local network has started communicating to hundreds of unique IP addresses on UDP 16464!

http://www.experts-exchange.com/Software/Office_Productivity/Groupware/Outlook/Q_27813329.html
0
 
LVL 1

Author Comment

by:considerscs
ID: 38859820
my logs are catching the Zeus P2P working on the Sonicwall but it is showing as the outside IP.

I need to be able to pinpoint that traffic on those ports to the inside IP.  Im more of a Cisco guy so Sonicwalls are new to me.

@aarontomosky - I do have Viewpoint.   I currently have the logs emailing to me when full.
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 313 total points
ID: 38859899
Viewpoint has a web console you can run reports and see what internal ip is doing that external traffic. It's really the only way to view that kind of traffic unless you setup negflow (sonicwall has it but its an extra license like viewpoint). If you have netflow you can use prtg or solarwinds or nagios, etc... To view that stuff. But the viewpoint reports should be adequate for your needs.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 187 total points
ID: 38859997
I was also thinking of scrutinzer

http://www.sonicguard.com/SonicWALL-Scrutinizer.asp
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 313 total points
ID: 38860022
Viewpoint became analyzer when dell bought them. I think scrutinizer is a more powerful version of that if I remember right. There are also some built in dashboards with real time data if you are licensed that can do the same traffic breaksdowns
0
 
LVL 1

Author Comment

by:considerscs
ID: 38860051
I am licensed for Viewpoint.  Im looking at trying to get a free syslog app to send the logs to.  The logs emailed are of no help as they do not show the inside ip that is sending the UDP port traffic to the outside IP.
0
 
LVL 39

Accepted Solution

by:
Aaron Tomosky earned 313 total points
ID: 38860645
If you are licensed for viewpoint, you have to download it. I use the virtual appliance as it's ready to go.

There are settings in the sonicwall that let you choose what events get sent to different logs, including the syslog. Not all the boxes are checked by default...
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Samba Question 11 75
Client lost connection to AP controlled by Cisco WLC2504 3 39
SOC, SIEM, IPS and FW 4 32
Well known ports and optimal ports scanning range 12 69
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question