Solved

Zeus P2P

Posted on 2013-02-05
10
3,226 Views
Last Modified: 2013-11-22
We have recently taken over an organization as their outside IT.  We are in the process of cleaning their entire IT world up.

We have a Zeus P2P in the network on a computer.  We are trying to locate this remotely.  We have a sonicwall that is already set to block P2P programs, but it is not catching the Zeus P2P.  The way we know we have it is our ISP is sending us logs where they are catching it on the outside IP.

We have installed Symantec Endpoint Protection on all computers and even it has not found it yet.  Though it did find many many other viruses.

Does anyone know of a way that I can sniff this out remotely?  We are 3 hours from this company and would like to atleast pinpoint the computer that is infected and if we have to we will go on site and pick this machine up.

Thanks for the help.
0
Comment
Question by:considerscs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 313 total points
ID: 38858084
Do you have viewpoint on the sonicwall?
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 313 total points
ID: 38858092
0
 
LVL 64

Assisted Solution

by:btan
btan earned 187 total points
ID: 38858256
Quick take - with the new zeus v3 p2p, there's no obvious communications with the C&C server at all. On top of that, the bots' communication to exchange configuration information is in UDP packets rather than TCP. This makes it more difficult to track communications because of the lack of handshaking and transactional state information in the former type of packets. And each bot is a web server unto itself, allowing other bots to make encrypted HTTP requests over TCP for command and control information on a pseudorandom port set by the configuration.

See this from symantec, it should already has a signature for it though
http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25879

E.g. More UDP and less TCP, using nGinx, an open source, minimal Web server, sends POST requests to a peer, using a random TCP port

http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet

Watch out for the comms using high TCP and UDP ports. The infected computer or node will do a version query and received a version of the config file and TCP port for data tx. Thereafter, make node query and potentially 10 nodes represented using (node-ID (SHA1 based), Node-IP and Node-UDP-Port) is returned from the P2P n/w.

See more recog pattern in this link (http://www.cert.pl/news/4711/langswitch_lang/en)

Following are also possible strings in your web proxy logs, which are being used as dropzone for this ZeuS version (using HTTP POST):

/gameover.php
/gameover2.php
/gameover3.php

See in this link (http://www.abuse.ch/?p=3499)
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 64

Assisted Solution

by:btan
btan earned 187 total points
ID: 38858262
other is trying to detect this as well

Excerpt

...I left wireshark on overnight and this morning a particular machine in the local network has started communicating to hundreds of unique IP addresses on UDP 16464!

http://www.experts-exchange.com/Software/Office_Productivity/Groupware/Outlook/Q_27813329.html
0
 
LVL 1

Author Comment

by:considerscs
ID: 38859820
my logs are catching the Zeus P2P working on the Sonicwall but it is showing as the outside IP.

I need to be able to pinpoint that traffic on those ports to the inside IP.  Im more of a Cisco guy so Sonicwalls are new to me.

@aarontomosky - I do have Viewpoint.   I currently have the logs emailing to me when full.
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 313 total points
ID: 38859899
Viewpoint has a web console you can run reports and see what internal ip is doing that external traffic. It's really the only way to view that kind of traffic unless you setup negflow (sonicwall has it but its an extra license like viewpoint). If you have netflow you can use prtg or solarwinds or nagios, etc... To view that stuff. But the viewpoint reports should be adequate for your needs.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 187 total points
ID: 38859997
I was also thinking of scrutinzer

http://www.sonicguard.com/SonicWALL-Scrutinizer.asp
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 313 total points
ID: 38860022
Viewpoint became analyzer when dell bought them. I think scrutinizer is a more powerful version of that if I remember right. There are also some built in dashboards with real time data if you are licensed that can do the same traffic breaksdowns
0
 
LVL 1

Author Comment

by:considerscs
ID: 38860051
I am licensed for Viewpoint.  Im looking at trying to get a free syslog app to send the logs to.  The logs emailed are of no help as they do not show the inside ip that is sending the UDP port traffic to the outside IP.
0
 
LVL 39

Accepted Solution

by:
Aaron Tomosky earned 313 total points
ID: 38860645
If you are licensed for viewpoint, you have to download it. I use the virtual appliance as it's ready to go.

There are settings in the sonicwall that let you choose what events get sent to different logs, including the syslog. Not all the boxes are checked by default...
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question