Malware routing

This topic contains 18 replies, has 5 voices, and was last updated by  ccpik1 5 years, 8 months ago.

  • Author
    Posts
  • #8632
     ccpik1 
    Participant

    I have an unusual problem I was wondering if anyone could shed some light on.

    I had an infected host with a zeroaccess trojan. This host machine has been rebuilt and formated but the firewall logs are still coming back as the host is sending data to and from a remote address.

    I then unplugged the cable from it so there is not even any rooting it its vlan anymore. The firewall still reports data to and from it?

    How is this possible? IP address spoofing? ARP poisoning? ???

  • #53712
     triznut 
    Participant

    Can you explain the firewall setup a little more? Are we talking about a dedicated firewall device or just the built-in firewall on Windows or some other software firewall? Also, you said you unplugged the cable (assuming network), but have you made sure there is no wireless or other network connection to the system in question? Depending on where that firewall is located will make a difference on how to answer…

    Maybe you could post an example from your firewall log and mask any sensitive information out of it?

  • #53713
     ccpik 
    Participant

    Thank you for the reply. It is a dedicated Palo firewall. There is also no wireless on the host. It is 100% disconnected to the network.

    Basically it is:

    Firewall
    |
    Switch
    |
    Host

    I will work on the logs but basically I see the rogue host on the network IP address going to an outside IP address (part of the botnet I presume).

    I have set Palo to drop zeroaccess, which it is doing, but would like to get to the root of this ideally.

    I cant figure out how a host that did exist but now does not can still be showing in the logs that it is sending and receiving data even though it has lost all connectivity to anywhere.

  • #53714
     m0wgli 
    Participant

    I’m not familiar with Palo Alto firewalls. Do the logs show the IP address or hostname?

  • #53715
     ccpik 
    Participant

    It shows the IP address

  • #53716
     m0wgli 
    Participant

    After the machine was rebuilt and formatted does it still have the same IP address?

  • #53717
     ccpik1 
    Participant

    It did have but now is off the network physically and no host exists on that IP and the traffic is still flowing to and from. Which is why I thought IP spoofing from another host or ARP poisoning but I do not think zeroaccess trojan is capable of that

  • #53718
     triznut 
    Participant

    Well if you’re certain it’s unplugged from the network, then there is no way it’s coming from that system. Can you run a network sniffer (like Wireshark) on your network? Maybe you can capture a MAC address as well and then go to the switch to see where it may be connected on the network.

    Also, make certain your time is synched properly between all device on the network and make sure there is no way those are old log entries in the firewall from when the system was connected to the network (post cleaning) or something of that nature.

  • #53719
     ccpik 
    Participant

    Thanks a lot, I will try those things and update tomorrow

  • #53720
     triznut 
    Participant

    ccpik1,

    You should also do some research on the IP address(es) the “rouge” host on your network is trying to connect with. There is plenty of resources online to determine if it’s connecting back to a malicious host/network.

    I’m curious how you determined your host was infected with the zeroaccess trojan?

  • #53721
     ccpik1 
    Participant

    Palo recognizes the zeroaccess.gen signature, it has it in its database. Going to try and get a packet capture later

  • #53722
     UKSecurityGuy 
    Participant

    I had something similar a while back.

    I’d suggest that what you’re seeing is another host with a duplicate IP address causing the problems. How are IP addresses set out in the organisation, DHCP or static?

    The way I tracked this down (On Cisco kit) on a routed network was to get the IP address from the firewall and trace it down to its last routing hop. Then in the router logs check the IP/MAC mappping, and which VLAN the MAC is coming in from.

    Then it’s a matter of backwards logging onto the switches to determine which switchport is mapped to the MAC address in question, and then cable trace that switchport.

    I think what you’ll find is that someone has setup a static IP in your DHCP’d network for some old piece of kit that you didn’t know about – and somehow it’s been infected.

  • #53723
     ccpik1 
    Participant

    Some very good ideas there thank you. I am in the process of checking these things out. I can’t ping the host now as it has been removed from the network physically. So the logs on the firewall must either be out of sync or incorrect. I thought originally IP spoofing or ARP poisoning but this does not look likely now

  • #53724
     triznut 
    Participant

    Well keep us posted on what you find out is the true reason. Don’t forget to research the IP/Network your infected system was trying to connect with. It might be worth blacklisting the IP and possibly network depending on what you find out.

    Good luck!

  • #53725
     ccpik 
    Participant

    Quick update…

    ..Palo shows two packets of data coming from the host every two hours hitting two external IP addresses. The machine is unplugged and this is still happening. It is certainly the correct host as when it is turned on it is pingable when I turn it on.

    I am going to try and run wireshark on the host and capture these two packets that are coming out, although leaving wireshark on for 2 hours+ may fill up the hard drive!

  • #53726
     triznut 
    Participant

    I think you need to pin-point where on your network this traffic is coming from? Specifically you need a MAC and what port on your switch the traffic is coming through. If you truly have that computer physically disconnected from the network, then it would not be coming from that computer. You said you’re seeing traffic from the computer about every two hours, well are you leaving the computer completely disconnected long enough to know 100% it wasn’t being logged when you reconnect it?

    Without being able to see the firewall logs and some wireshark captures, then it’s pretty hard to say. Based off the little we know, it does sound a little like a spoof of sorts, but I would not say that for certain as there could be a lot more going on than what you’re explaining.

    Your first post made it kind of sound like a physical setup, but I better ask. Is this a virtual machine and VM-firewall setup or physical systems?

  • #53727
     ccpik 
    Participant

    We resolved it and you were bang on the money. It was IP spoofing which had obviously originated from when the host was infected. The true host was an external IP address spoofing the original internal address. Due to this, the firewall was saying it was coming from the host (trust) to the internet (untrust). The firewall was dropping the packets but it was a bit of a head scratcher! Thank you all for your excellent help

  • #53728
     UKSecurityGuy 
    Participant

    Well done for finding the answer – but that’s confused me slightly.

    You’re saying that the attacker was sending traffic from outside your firewall to it, using an internal address, and thus the firewall was alerting on it?

    Do you have internet routable addresses used internally? I can’t see how an internal address would route across the internet reliably (I’ve seen it done occationally on badly configured routers).

    The only other option I can think of is that you have a 2nd compromised machine that is spoofing the original machine’s IP address, and that 2nd machine is being controlled from the internet.

  • #53729
     ccpik1 
    Participant

    What happened is that the firewall was blocking the traffic on the rule ‘incoming traffic xyz’ which is defined in our network as coming from the outside-untrust to the inside-trust. The rest of the log however reported the data coming from trust to untrust. In conclusion we thought it must be the external attacker spoofing an internal address, hence it is matching the rule ‘incoming traffic xyz’

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?