This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Zbot-A Infection

According to my UTM I have a few workstations infected with C2/Zbot-A. Sophos Endpoint is detecting nothing on these machines. I've tried to install Malware bytes and Microsoft Security Center as well. I've even manually searched through my registry. I'm finding no trace of this infection.

I'm at my wits end trying to track this thing down. I've dealt with Zeusbot before. I've checked for all the exe's it normally runs under and checked the keys that it normally modifies. I have no idea how I should procede on this matter. Zbot-A is a fairly serious infection so I don't want to let it run unchecked, but I have no idea how to procede.

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Zbot-A.aspx

This thread was automatically locked due to age.

0 QC over 10 years ago

Hello twarren,
so it's the UTM which claims to detect C2/Zbot-A but the endpoints seems to be clean? Does the UTM (I'm not familiar with these) have any details why it thinks the endpoints are infected? Wonder if it could be a false positive.
Christian
:58119
Cancel
Vote Up 0 Vote Down

Cancel
0 twarren over 10 years ago

The machines are definitly trying to communicating with 173.247.245.154 a known Zbot-A host.
:58120
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 10 years ago
Hello twarren,
version 10.6.0 will have an MTD component but you'll probably not want to wait that long.
You should contact Support if your UTM detects connection attempts to a C&C server but endpoint fails to find a threat. Do you have HIPS enabled and were there detections (especially HIPS and generic ones) on the endpoints?
It might be possible to find the rogue process (if one exists) with Sysinternals tcpvcon tool wrapping it in a loop:
Tcpvcon.exe -a -n -c |find "173.247.245.154"
Christian
:58141
Cancel
Vote Up 0 Vote Down

Cancel