This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

conficker access not detected or blocked

Hello,
i'm having a bit of an "infestation" on a customer network that has lead the public IPs to be blocked on spamhaus CBL as they connected to conficker honeypots.
now this happened before UTM was installed...

Yesterday morning we insalled 9.203, activated ALL protection options(IPS with full ruleset for OS -no time shortening-, advanced botnet, webfilter with dual AV, below suspicious block, antispyware).

yet to my surprise i check CBL today and it has blocked the public ip AGAIN with access last night(post UTM), and UTM never detected anything!.

HTTP direct output is blocked, all browsing must go out via the http proxy

i checked the honeypot IP against the log and guess what?, passed...


/var/log/http/2014/06/http-2014-06-25.log.gz:2014:06:25-14:16:19 utm httpproxy[5552]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.3.215" dstip="216.66.15.109" user="" statuscode="404" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9f9eee0" url="216.66.15.109/search

/var/log/http/2014/06/http-2014-06-25.log.gz:2014:06:25-14:16:21 utm httpproxy[5552]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.3.215" dstip="216.66.15.109" user="" statuscode="404" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x2593f540" url="216.66.15.109/search

so, WHY is UTM not even detecting the infestation?, let alone blocking it as it should(with the new fabled "advanced threat protection" which at this point still says "all green OK").
it's not an obscure virus or botnet, it's a well-known scourge yet.. nothing!

This thread was automatically locked due to age.

0 grammatonclerick over 11 years ago

From my experience of testing the blocking the so called "advanced threat protection" labels your system as having a BOT if it visits the IP of the known C&C. IF the C&C addy is not in their database then it won't list it as BAD so it will be smooth green sailing.
Went to that IP, WOT detected it as baddie but my Sophos UTM stayed green.
As of a min ago only websense detects it as a baddy:

So unless they are using websense as their IP black lister then the Sophos UTM won't detect the PC comms as a bot.

P.S.
A single visit to a known bad IP of a C&C is enough to label that PC as having a BOT.

For those who are click link weary here is a copy paste of the results:


Websense ThreatSeeker	Malicious site
ADMINUSLabs	Clean site
AegisLab WebGuard	Clean site
AlienVault	Clean site
Antiy-AVL	Clean site
AutoShun	Unrated site
Avira	Clean site
BitDefender	Clean site
C-SIRT	Clean site
CLEAN MX	Suspicious site
CRDF	Clean site
Comodo Site Inspector	Clean site
CyberCrime	Clean site
Dr.Web	Clean site
ESET	Clean site
Emsisoft	Clean site
Fortinet	Unrated site
FraudSense	Clean site
G-Data	Clean site
Google Safebrowsing	Clean site
K7AntiVirus	Clean site
Kaspersky	Unrated site
Malc0de Database	Clean site
Malekal	Clean site
Malware Domain Blocklist	Clean site
MalwareDomainList	Clean site
MalwarePatrol	Clean site
Malwarebytes hpHosts	Clean site
Malwared	Clean site
Netcraft	Unrated site
Opera	Clean site
PalevoTracker	Clean site
ParetoLogic	Clean site
Phishtank	Clean site
Quttera	Clean site
SCUMWARE.org	Clean site
SecureBrain	Clean site
Sophos	Unrated site
SpyEyeTracker	Clean site
StopBadware	Unrated site
Sucuri SiteCheck	Clean site
Tencent	Clean site
ThreatHive	Clean site
URLQuery	Unrated site
VX Vault	Clean site
Webutation	Clean site
Wepawet	Unrated site
Yandex Safebrowsing	Clean site
ZCloudsec	Clean site
ZDB Zeus	Clean site
ZeusTracker	Clean site
malwares.com URL checker	Clean site
zvelo	Clean site

0 Mast_01 over 11 years ago
as far as i've sen the query type is obvious conficker: search?q=1**
the IP i pasted before is a conficker honeypot from spamhaus, they use that to blacklist you
these are the remote IPs having the same query type that didn't got blocked by UTM:
all are passed as "uncategorized" except when noted, look at the sheer amount, this is not acceptable by any standard for an already old and known virus, UTM is not even suspecting the behavior of those url queries!(they're all the same)

38.229.136.219
38.229.153.111
38.229.148.8
38.229.168.217
38.229.173.75
38.229.167.185
38.229.168.17
38.229.147.124
38.229.141.156
38.229.175.65
38.229.174.71
38.229.178.47
38.229.136.69
38.229.138.92
38.229.134.67
38.229.131.192
38.229.177.169
38.229.147.136
38.229.152.161
38.229.130.37
38.229.151.237
38.229.164.64
50.117.120.254
38.229.161.11
38.229.163.20
38.229.141.96
37.59.20.187 (passed as blogs/wiki lol [:D] )
216.66.15.109 (honeypot, uncategorized)
69.195.129.67 (passed but marked as spam url)

what's interesting is that other consecutive IPs on that 38. block ARE detected as malicious sites or blocked/uncategorized with no other reason. other IP blocks are blocked as Malicious Sites,Malicious Downloads
Cancel
Vote Up 0 Vote Down

Cancel

0 grammatonclerick over 11 years ago in reply to Mast_01

I don't know what to say but I scanned 3 of the IP's you provided above and they came out clean via VT. Basically if those IP's were not flagged by any other IP aggregate as malware then unfortunately SOPHOS won't detect it as such.
Just go to VirusTotal and scan them yourself you will see for yourself.
Here is a snipped from one of the IPs:

ADMINUSLabs	Clean site
AegisLab WebGuard	Clean site
AlienVault	Clean site
Antiy-AVL	Clean site
AutoShun	Unrated site
Avira	Clean site
BitDefender	Clean site
C-SIRT	Clean site
CLEAN MX	Clean site
CRDF	Clean site
Comodo Site Inspector	Clean site
CyberCrime	Clean site
Dr.Web	Clean site
ESET	Clean site
Emsisoft	Clean site
Fortinet	Unrated site
FraudSense	Clean site
G-Data	Clean site
Google Safebrowsing	Clean site
K7AntiVirus	Clean site
Kaspersky	Unrated site
Malc0de Database	Clean site
Malekal	Clean site
Malware Domain Blocklist	Clean site
MalwareDomainList	Clean site
MalwarePatrol	Clean site
Malwarebytes hpHosts	Clean site
Malwared	Clean site
Netcraft	Unrated site
Opera	Clean site
PalevoTracker	Clean site
ParetoLogic	Clean site
Phishtank	Clean site
Quttera	Clean site
SCUMWARE.org	Clean site
SecureBrain	Clean site
Sophos	Unrated site
SpyEyeTracker	Clean site
StopBadware	Unrated site
Sucuri SiteCheck	Clean site
Tencent	Clean site
ThreatHive	Clean site
URLQuery	Unrated site
VX Vault	Clean site
Websense ThreatSeeker	Unrated site
Webutation	Clean site
Wepawet	Unrated site
Yandex Safebrowsing	Clean site
ZCloudsec	Clean site
ZDB Zeus	Clean site
ZeusTracker	Clean site
malwares.com URL checker	Clean site
zvelo	Clean site

0 RFCat_vk_01 over 11 years ago in reply to grammatonclerick

Hi Mast,
I can see a couple of things you haven't explained.

1/. have you removed all the infections from the customers internal network?
2/. how are these sites accessed eg http or some non browser based port? If non browser port then the UTM will not pick the sites as being a dud.

3/. what do the various UTM logs show for access to these sites?

4/. Do you have any outgoing firewall rules blocking these sites?

5/. do you have any exceptions site blocking rules in place in the web proxy?

6/. what other proxies do you have enabled?

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Jens JakobSorensen over 11 years ago in reply to RFCat_vk_01

I got on that list for the second time in two weeks due to Conficker. I have taken the following actions, and hope they works:
Firewall rule: Any from Any to 216.66.15.109 - reject
Web filtering action: Double virus scan engines.

I'm not sure what else to do.

The infected PC access the net through an open public HotSpot, so we can't clean it.
I have looked for a way to deny access for the specific mac-address, but can't find it.

Jens Jakob, Dansk Centralbibliotek for Sydslesvig
UTM 9.112-12
Cancel
Vote Up 0 Vote Down

Cancel
0 Mast_01 over 11 years ago in reply to RFCat_vk_01

1) not my job, their IT dept needs to handle that
2) HTTP
3) the only logs that shows something is the http proxy log, from which i've gathered that IP list
4) i shouldn't have a to doa manual list, it's cumbersome, it's also not recommended as the CnC server change ip all the time
5) no exceptions
6) only smtp proxy
Hi Mast,
I can see a couple of things you haven't explained.

1/. have you removed all the infections from the customers internal network?
2/. how are these sites accessed eg http or some non browser based port? If non browser port then the UTM will not pick the sites as being a dud.

3/. what do the various UTM logs show for access to these sites?

4/. Do you have any outgoing firewall rules blocking these sites?

5/. do you have any exceptions site blocking rules in place in the web proxy?

6/. what other proxies do you have enabled?

Ian

@Grammaton even if the CNC IP is a new one/not listed, IPS acts via signatures, ¿where's the "advanced" protection when it isn't picking conficker traffic at packet level?

dcbib, see, that's the issue as well, someone comes, plugs an infected machine to your public wifi and all the sudden spamhaus blocks your outgoing mail thanks to that and UTM has no idea and blocking nothing, short of having a dedicated "trash" ISP to route outgoing traffic away from your "incoming/outgoing mail isp" you're FUBAR
Cancel
Vote Up 0 Vote Down

Cancel
0 Michael Dunn over 11 years ago

Can you please try the following:

Go to Network Protection, Intrusion Prevention.
Turn it on for your local network.
Go to Attack Patterns.
Set Malware (at the bottom) to no time limit and add extra warnings.
Cancel
Vote Up 0 Vote Down

Cancel
0 Mast_01 over 11 years ago

IPS was already setup like that from the go, except for the malware time limit and the extra warnings, added those, letsee how it fares now
Cancel
Vote Up 0 Vote Down

Cancel
0 Mast_01 over 11 years ago in reply to Michael Dunn
Can you please try the following:
Go to Network Protection, Intrusion Prevention.
Turn it on for your local network.
Go to Attack Patterns.
Set Malware (at the bottom) to no time limit and add extra warnings.

no change, conficker traffic is still passing through ,this is from yesterday and today to a conficker honeypot:

2014:07:02-22:20:10 --- 192.168.3.173 pass Uncategorized http://38.229.177.220/search?q=88
2014:07:03-08:27:54 --- 192.168.3.97 pass Uncategorized http://38.229.177.220/search?q=192
2014:07:03-10:09:22 --- 192.168.0.170 pass Uncategorized http://38.229.177.220/search?q=132

why isn't any of the protection features detecting the URL query signature this thing is using.

if i expand the log search for that particular query type i see some blocks due to Malicious sites but i also see a lot of "blocks" with no reason and if i inspect further i see they are "error="Connection to server timed out"" which means it was a pass but the CnC was down
Cancel
Vote Up 0 Vote Down

Cancel
0 Billybob over 11 years ago in reply to Mast_01

Hi Mast, I feel your pain. One of my XP VMs got infected with conficker and from there it went to some windows 7 machines also. I didn't even realize that I was infected because sophos was showing all good and green. What got my attention was that I use opendns and it had thousands of drops for botnet activity.

In my opinion, sophos botnet protection is not fully baked yet. It may catch an infection every now and then but the detection rate is really low. Your best bet is to quarantine the infected machines and clean them using Gmer or something similar.

You can also use opendns with botnet protection to get some relief but sooner or later those machines will have to be cleaned.
Cancel
Vote Up 0 Vote Down

Cancel