We've had our external IP address added to the CBL blocklist and I am really struggling to find the source of the problem. The activity is fairly infrequent and seems to come from a different port each time. It appears the infection is a Gameover Zeus bot
The lastest list from 1700 GMT yesterday shows the source port as 57770 to a destination port of 80. It gives no destination IP
I have searched the Smoothwall logs for activity on that port at that time plus or minus a couple of hours and there is nothing. There is also no activity to any of the sinkhole IP addresses that are listed.
Does anyone have any suggestions on how to resolve this particularly in relation to searching the Smoothwall logs or port blocking. Actually any suggestions really!
Originally Posted by plexer
Yes I did, and I may use that although it doesnt help that I dont know the destination IP address.
It hasnt appeared since yesterday so I suspect the rogue PC is turned off. I am going to try and turn a few on and see what happens over the weekend, starting with the Bursars office who have previous for this sort of thing. With 800 PCs it might take a while simply because the blocklist isn't updated that frequently
without wishing to join hands with the daily mail or BBC scaremongering brigade, for that particular infection I hope you've removed network access from every station until it's resolved?
Have you checked the CBL lookup page again? It has a list of IPs to look for now.
Yep, after all nobody really needs access to the network!
Originally Posted by synaesthesia
I think I may have found the offending device now - a staff laptop, surprise surprise. It has been a real pain to find though and some of the info supplied by the CBL page doesn't really help.
Neither the IP address or port provided by them has been used by any devices on the network according to the Smoothwall logs however one piece of useful advice was to turn on DNS logging and look for requests to strange domains like "zlmfxgwgqdieahvsgtfylrcgufy.com"
I did this and bingo I found this address "ZDEYMFMVJRTQCTNZGUUSPLWSNZ.BIZ " and doing a whois on it brought back an IP address identified as a C & C server for GameOver Zeus.
The other things worth noting are that it doesn't do anything until someone logs onto the computer, and it has been estimated that even up to date AV is only 23% effective against it.
Another learning curve completed
Indeed. However important you think network access is though, data security is 100% more important. I would not hesitate in shutting down everything on site to ensure a nasty of that type is isolated before anything's powered back up again.
Yes I did but it seems that the infected PCs don't always use them directly as was proved when I found the infected machine!
I agree, however I knew the servers were unaffected and clean otherwise I would certainly considered that option. The nature of Zeus (from what I've read) is that it doesn't gather data from across a network, rather personal data that would be used for banking and so on, from a single computer.
Still a nasty piece of code though