Malware routing

Viewing 18 reply threads
  • Author
    Posts
    • #8632
      ccpik1
      Participant

      I have an unusual problem I was wondering if anyone could shed some light on.

      I had an infected host with a zeroaccess trojan. This host machine has been rebuilt and formated but the firewall logs are still coming back as the host is sending data to and from a remote address.

      I then unplugged the cable from it so there is not even any rooting it its vlan anymore. The firewall still reports data to and from it?

      How is this possible? IP address spoofing? ARP poisoning? ???

    • #53712
      triznut
      Participant

      Can you explain the firewall setup a little more? Are we talking about a dedicated firewall device or just the built-in firewall on Windows or some other software firewall? Also, you said you unplugged the cable (assuming network), but have you made sure there is no wireless or other network connection to the system in question? Depending on where that firewall is located will make a difference on how to answer…

      Maybe you could post an example from your firewall log and mask any sensitive information out of it?

    • #53713
      ccpik
      Participant

      Thank you for the reply. It is a dedicated Palo firewall. There is also no wireless on the host. It is 100% disconnected to the network.

      Basically it is:

      Firewall
      |
      Switch
      |
      Host

      I will work on the logs but basically I see the rogue host on the network IP address going to an outside IP address (part of the botnet I presume).

      I have set Palo to drop zeroaccess, which it is doing, but would like to get to the root of this ideally.

      I cant figure out how a host that did exist but now does not can still be showing in the logs that it is sending and receiving data even though it has lost all connectivity to anywhere.

    • #53714
      m0wgli
      Participant

      I’m not familiar with Palo Alto firewalls. Do the logs show the IP address or hostname?

    • #53715
      ccpik
      Participant

      It shows the IP address

    • #53716
      m0wgli
      Participant

      After the machine was rebuilt and formatted does it still have the same IP address?

    • #53717
      ccpik1
      Participant

      It did have but now is off the network physically and no host exists on that IP and the traffic is still flowing to and from. Which is why I thought IP spoofing from another host or ARP poisoning but I do not think zeroaccess trojan is capable of that

    • #53718
      triznut
      Participant

      Well if you’re certain it’s unplugged from the network, then there is no way it’s coming from that system. Can you run a network sniffer (like Wireshark) on your network? Maybe you can capture a MAC address as well and then go to the switch to see where it may be connected on the network.

      Also, make certain your time is synched properly between all device on the network and make sure there is no way those are old log entries in the firewall from when the system was connected to the network (post cleaning) or something of that nature.

    • #53719
      ccpik
      Participant

      Thanks a lot, I will try those things and update tomorrow

    • #53720
      triznut
      Participant

      ccpik1,

      You should also do some research on the IP address(es) the “rouge” host on your network is trying to connect with. There is plenty of resources online to determine if it’s connecting back to a malicious host/network.

      I’m curious how you determined your host was infected with the zeroaccess trojan?

    • #53721
      ccpik1
      Participant

      Palo recognizes the zeroaccess.gen signature, it has it in its database. Going to try and get a packet capture later

    • #53722
      UKSecurityGuy
      Participant

      I had something similar a while back.

      I’d suggest that what you’re seeing is another host with a duplicate IP address causing the problems. How are IP addresses set out in the organisation, DHCP or static?

      The way I tracked this down (On Cisco kit) on a routed network was to get the IP address from the firewall and trace it down to its last routing hop. Then in the router logs check the IP/MAC mappping, and which VLAN the MAC is coming in from.

      Then it’s a matter of backwards logging onto the switches to determine which switchport is mapped to the MAC address in question, and then cable trace that switchport.

      I think what you’ll find is that someone has setup a static IP in your DHCP’d network for some old piece of kit that you didn’t know about – and somehow it’s been infected.

    • #53723
      ccpik1
      Participant

      Some very good ideas there thank you. I am in the process of checking these things out. I can’t ping the host now as it has been removed from the network physically. So the logs on the firewall must either be out of sync or incorrect. I thought originally IP spoofing or ARP poisoning but this does not look likely now

    • #53724
      triznut
      Participant

      Well keep us posted on what you find out is the true reason. Don’t forget to research the IP/Network your infected system was trying to connect with. It might be worth blacklisting the IP and possibly network depending on what you find out.

      Good luck!

    • #53725
      ccpik
      Participant

      Quick update…

      ..Palo shows two packets of data coming from the host every two hours hitting two external IP addresses. The machine is unplugged and this is still happening. It is certainly the correct host as when it is turned on it is pingable when I turn it on.

      I am going to try and run wireshark on the host and capture these two packets that are coming out, although leaving wireshark on for 2 hours+ may fill up the hard drive!

    • #53726
      triznut
      Participant

      I think you need to pin-point where on your network this traffic is coming from? Specifically you need a MAC and what port on your switch the traffic is coming through. If you truly have that computer physically disconnected from the network, then it would not be coming from that computer. You said you’re seeing traffic from the computer about every two hours, well are you leaving the computer completely disconnected long enough to know 100% it wasn’t being logged when you reconnect it?

      Without being able to see the firewall logs and some wireshark captures, then it’s pretty hard to say. Based off the little we know, it does sound a little like a spoof of sorts, but I would not say that for certain as there could be a lot more going on than what you’re explaining.

      Your first post made it kind of sound like a physical setup, but I better ask. Is this a virtual machine and VM-firewall setup or physical systems?

    • #53727
      ccpik
      Participant

      We resolved it and you were bang on the money. It was IP spoofing which had obviously originated from when the host was infected. The true host was an external IP address spoofing the original internal address. Due to this, the firewall was saying it was coming from the host (trust) to the internet (untrust). The firewall was dropping the packets but it was a bit of a head scratcher! Thank you all for your excellent help

    • #53728
      UKSecurityGuy
      Participant

      Well done for finding the answer – but that’s confused me slightly.

      You’re saying that the attacker was sending traffic from outside your firewall to it, using an internal address, and thus the firewall was alerting on it?

      Do you have internet routable addresses used internally? I can’t see how an internal address would route across the internet reliably (I’ve seen it done occationally on badly configured routers).

      The only other option I can think of is that you have a 2nd compromised machine that is spoofing the original machine’s IP address, and that 2nd machine is being controlled from the internet.

    • #53729
      ccpik1
      Participant

      What happened is that the firewall was blocking the traffic on the rule ‘incoming traffic xyz’ which is defined in our network as coming from the outside-untrust to the inside-trust. The rest of the log however reported the data coming from trust to untrust. In conclusion we thought it must be the external attacker spoofing an internal address, hence it is matching the rule ‘incoming traffic xyz’

Viewing 18 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?