Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 10850 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Zbot-A Infection

twarren

According to my UTM I have a few workstations infected with C2/Zbot-A.  Sophos Endpoint is detecting nothing on these machines.  I've tried to install Malware bytes and Microsoft Security Center as well.  I've even manually searched through my registry.  I'm finding no trace of this infection.

I'm at my wits end trying to track this thing down.  I've dealt with Zeusbot before.  I've checked for all the exe's it normally runs under and checked the keys that it normally modifies.  I have no idea how I should procede on this matter.  Zbot-A is a fairly serious infection so I don't want to let it run unchecked, but I have no idea how to procede.

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Zbot-A.aspx

:58118


This thread was automatically locked due to age.
Parents
  • 0

    Hello twarren,

    version 10.6.0 will have an MTD component but you'll probably not want to wait that long.

    You should contact Support if your UTM detects connection attempts to a C&C server but endpoint fails to find a threat. Do you have HIPS enabled and were there detections (especially HIPS and generic ones) on the endpoints?

    It might be possible to find the rogue process (if one exists) with Sysinternals tcpvcon tool wrapping it in a loop:

    Tcpvcon.exe -a -n -c |find "173.247.245.154"

    Christian

    :58141
Reply
  • 0

    Hello twarren,

    version 10.6.0 will have an MTD component but you'll probably not want to wait that long.

    You should contact Support if your UTM detects connection attempts to a C&C server but endpoint fails to find a threat. Do you have HIPS enabled and were there detections (especially HIPS and generic ones) on the endpoints?

    It might be possible to find the rogue process (if one exists) with Sysinternals tcpvcon tool wrapping it in a loop:

    Tcpvcon.exe -a -n -c |find "173.247.245.154"

    Christian

    :58141
Children
No Data