Virus Problem / Sonicwall setup to block IP

I have been informed by Spamhaus that the IP address we use for corporate email has communicated with a known spam site and is either infected by, or NATing for, a computer that is infected by the S_Gozi trojan / downloader.

It states that the infection is extremely difficult to detect and is not seen by most commercial AV or EndPoint protection suites.

I have been told to program the Sonic-wall TZ215 to stop all traffic to sites outside the US.  We have never done this before.  Not sure how to setup the sonic-wall for that purpose.  I know this virus does not use the standard port 25 for smtp traffic it uses port 80 which i cannot block.  It is extremely difficult to find so i am trying to stop its connections at the firewall level to stop it communicating.  Any help would be greatly appreciated.
Ray McGowanConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DamianIT incCommented:
SonicWall will still need to send mail for you, so you really need to manage that infection and clean that out, just limiting your mail outreach is really turning a blind eye on the issue.

Port 80 is Browser traffic, so perhaps its infected something you are sending out in an email?! but that's part of a larger conversation.  You may want to check on whether or not you have DKIM in place and check on whether or not you are sending mail securely.

But, I'd probably start with changing all your mail passwords.. could just be that your mail server is compromised.
J SpoorTMECommented:
make sure you have all the security services licesnsed. enable botnet and optional geo-ip

also makesure that outbound port 25 is blocked except for the mail server
J SpoorTMECommented:
addendum use sonicwall's content filter to block at least the malware category
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Blue Street TechLast KnightCommented:
Hi mcgowray,

You have to know your adversary (in this case Gozi) before you can take effective action.


Based on the actual infections detected in 2016, the current Gozi build is being broadcast in the Europe, UK, US and South Africa so Spamhause just wants the action to stop - this approach is not a remediation nor is it holistic by any stretch of the imagination. As you will begin to go down this road you will see that "stop[ing] all traffic to sites outside the US" is typically not very feasible – online, we are in a global community so your company and your customers, most likely, have services running out of servers all over the world in places you never actual “do business in/with”. In general, I’m a big fan of Geo-IP and Botnet filtering but to set your expectations correctly – simply restricting all your traffic to the US will not stop, correct or eliminate this infection from doing what it is intended to do nor will it protect you from future exploits in similar nature or otherwise. In the best-case scenario, you will most likely impede your business productivity. Filtering, of any kind, requires time and is totally achievable but it is involved. You must compile a list of all your legitimate outbound traffic and make provisions for them (whitelisting) on a port/service level as well as a geographic one (Geo-IP based). In general, it is the essence of truly knowing your network…what connections are required internally (between your clients and servers) and externally from your network to the world and vice versa.

Gozi Trojan is one of the longest-standing banking Trojans itW (in the Wild) today. It is considered sophisticated and active. Its original purpose was to target English-speaking banks w/online banking wire fraud but now has vastly metastasized from its geneses. In 2010, the developers added more capabilities (code & web injections to steal data) than its previous version. And in 2013, they added an MBR (Master Boot Record) rootkit to it in order to increase the persistency of a targeted machine’s MBR. In 2015, they enhanced it again by adding major updates to the malware’s webinjection schemes & capabilities. It is typically delivered as drive-by-infections, either via malicious PDF documents or via exploit kits (such as Justexploit). Now, Gozi can inject the trojan’s code into the OS’s & browser’s processes (all web browsers), which then can allow the attacker to control the browser to monitor activity, form grab and webinjections. These are some of the most powerful tools attackers have against victims – so it is not to be taken lightly. When a machine is infected by Gozi, every process created by explorer.exe or one of its child processes is patched (by Gozi) in order to maintain Gozi’s infection, keylogging ability and other malicious control. Furthermore, some child processes get specific attention from Gozi, which include extra code for other malicious features.

Detection & Sanitization

Gozi has a 66% detection rate (33 out of 55 AV clients/secTools were able to detect it). This is a list of AV clients that can detect Gozi (AV companies are notorious for giving them different names, arrgh):
Search for your AV endpoint software to determine if it is in its library or not. If it’s not in that list go to here on the suspected, infected machine and download & run the following:

Run each of them independently (not at the same time) and save the results. When you download all of them use the Save Target/Link As and rename them to random names – many infections will look for typical download files and infect them upon download.

Some variants will install the initial file here: "C:\Documents and Settings\<username>" directory pointed to by the %USERPROFILE% environment variable and named "xx_ymvb.exe".

NOTE: You can sanitize/eliminate the infection/s but once a machine is infected, the only way to truly purify it or make it whole again is to wipe it with a single pass of 0x00, reformat it, and reload the OS. Otherwise, it is much like a terminate or wood beetle, once they are dead the tracks they left (or the holes) are still there for the next hosts to take advantage of/access. They are not causing any new damage but the damage they have done and the vulnerabilities left are there for the taking.

Security Architecture

First off you need to deal with the infection. What is your security model based on: single layer or multi-layer? Your BASIC security architecture should consist of a mixed-vendor, multi-layered, AV protection at your:
1. Gateway via SonicWALL CGSS (Comprehensive Gateway Security Suite);
2. Mail server (specific to the mail server - not just server AV software);
3. Other servers (server-based AV);
4. Endpoints (user machines);

I typically like Norton for mobile devices, ESET for the endpoint protection on machines & servers and CGSS (cloud threat intelligence (multiple dBs)) for gateway protection. Your network should be segmented to protect from outbreaks at least for the BYOD/mobile device areas. Your servers IMO should be in their own Zone so that you can control what traffic flows to them. This prevents client infections from being able to access all ports/services from within the network. These ideas are scalable from 5 users to enterprise level.

Firewall Security

1. Review your ingress open ports (WAN>LAN, WAN>WLAN, DMZ>WAN, etc.) and close everything that shouldn’t be open. Furthermore, the ones that need to be open make sure they are using secure protocols.
2. Do you have an active SonicWALL license of CGSS? If so, you should enable all security services on all Zones (Network > Zones) and configure them (enabling them is not enough).
3. Filter all outbound traffic. It will take some time, as mentioned before, but it will prevent the virus from using random ports, which is typical of how many communicate outbound.
4. On the egress side of the firewall (LAN>WAN, WLAN>WAN, DMZ>WAN, etc.) you can enabled Geo-IP & Botnet filtering and configure them to only access countries you find from your search mentioned above. This will effectively allow you to block specific traffic on common ports like 25, 80, etc.
5. Restrict DNS to only authorized Public DNS providers listed in your DNS forwarding addresses.
6. Restrict insecure mail protocols outbound.

Exchange Server (assuming you are running it)

1. Close any Open Relays (for all mail servers).
2. Insure only secure protocols are being used.

Consider getting MSFT EOP for on-premise (or for O365) servers: - this will protect your users from installed such infections with strong anti-malware security & antispam filtering at the perimeter of your mail server before the email flows into the mailboxes.

Consider migrating to Office 365 - it is most cases cheaper and provides better security & protection.


1. Since it is a keylogger, refresh ALL passwords AFTER sanitization has occurred and especially critical to infrastructure: Domain Admins, Admins, network hardware access, root, dB admins, etc.
2. Take some time and train your employees on security – how to observe & detect spam/malicious emails, etc. There is more than enough defense technology today to protect your environment from threats. After you have installed and configured that your users will always be your weakest link.

Let me know if you have any other questions!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ashok DewanFreelancerCommented:
Can you capture the traffic from gateway with wireshark for packet analysis? This way you can get the signatures to prevent malicious traffic, if traffic is not encrypted.

Check below page link and go to Countermeasures, you will get know.This malware sends POST request which is HTTP method.
How many IP addresses do you have? If multiple, then use one for the mail server and another for everything else. While this requires multiple NAT rules, it does allow you to eliminate the mail server from the suspect list. Also follow the advice in previous posts here. And make sure your inbound and outbound emails are going through some filtering service.

Also check for any unauthorized devices that may somehow be on your network.

I have been told to program the Sonic-wall TZ215 to stop all traffic to sites outside the US.
This *might* help, but if they're able to definitely tell you of the suspicious traffic, they have a lot of data they're not telling you. Depending on what type of business you're in, it might not be feasible to block all international sites for too long. Here is some research that may help you, granted it is pretty old:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.