December 11, 2013 at 7:13 pm #8632
I have an unusual problem I was wondering if anyone could shed some light on.
I had an infected host with a zeroaccess trojan. This host machine has been rebuilt and formated but the firewall logs are still coming back as the host is sending data to and from a remote address.
I then unplugged the cable from it so there is not even any rooting it its vlan anymore. The firewall still reports data to and from it?
How is this possible? IP address spoofing? ARP poisoning? ???
December 11, 2013 at 7:26 pm #53712
Can you explain the firewall setup a little more? Are we talking about a dedicated firewall device or just the built-in firewall on Windows or some other software firewall? Also, you said you unplugged the cable (assuming network), but have you made sure there is no wireless or other network connection to the system in question? Depending on where that firewall is located will make a difference on how to answer…
Maybe you could post an example from your firewall log and mask any sensitive information out of it?
December 11, 2013 at 7:51 pm #53713
Thank you for the reply. It is a dedicated Palo firewall. There is also no wireless on the host. It is 100% disconnected to the network.
Basically it is:
I will work on the logs but basically I see the rogue host on the network IP address going to an outside IP address (part of the botnet I presume).
I have set Palo to drop zeroaccess, which it is doing, but would like to get to the root of this ideally.
I cant figure out how a host that did exist but now does not can still be showing in the logs that it is sending and receiving data even though it has lost all connectivity to anywhere.
December 11, 2013 at 8:28 pm #53714m0wgliParticipant
I’m not familiar with Palo Alto firewalls. Do the logs show the IP address or hostname?
December 11, 2013 at 8:30 pm #53715
It shows the IP address
December 11, 2013 at 9:34 pm #53716m0wgliParticipant
After the machine was rebuilt and formatted does it still have the same IP address?
December 11, 2013 at 9:38 pm #53717
It did have but now is off the network physically and no host exists on that IP and the traffic is still flowing to and from. Which is why I thought IP spoofing from another host or ARP poisoning but I do not think zeroaccess trojan is capable of that
December 11, 2013 at 10:38 pm #53718
Well if you’re certain it’s unplugged from the network, then there is no way it’s coming from that system. Can you run a network sniffer (like Wireshark) on your network? Maybe you can capture a MAC address as well and then go to the switch to see where it may be connected on the network.
Also, make certain your time is synched properly between all device on the network and make sure there is no way those are old log entries in the firewall from when the system was connected to the network (post cleaning) or something of that nature.
December 11, 2013 at 10:52 pm #53719
Thanks a lot, I will try those things and update tomorrow
December 12, 2013 at 3:51 am #53720
You should also do some research on the IP address(es) the “rouge” host on your network is trying to connect with. There is plenty of resources online to determine if it’s connecting back to a malicious host/network.
I’m curious how you determined your host was infected with the zeroaccess trojan?
December 12, 2013 at 9:09 am #53721
Palo recognizes the zeroaccess.gen signature, it has it in its database. Going to try and get a packet capture later
December 12, 2013 at 9:55 am #53722UKSecurityGuyParticipant
I had something similar a while back.
I’d suggest that what you’re seeing is another host with a duplicate IP address causing the problems. How are IP addresses set out in the organisation, DHCP or static?
The way I tracked this down (On Cisco kit) on a routed network was to get the IP address from the firewall and trace it down to its last routing hop. Then in the router logs check the IP/MAC mappping, and which VLAN the MAC is coming in from.
Then it’s a matter of backwards logging onto the switches to determine which switchport is mapped to the MAC address in question, and then cable trace that switchport.
I think what you’ll find is that someone has setup a static IP in your DHCP’d network for some old piece of kit that you didn’t know about – and somehow it’s been infected.
December 12, 2013 at 10:43 am #53723
Some very good ideas there thank you. I am in the process of checking these things out. I can’t ping the host now as it has been removed from the network physically. So the logs on the firewall must either be out of sync or incorrect. I thought originally IP spoofing or ARP poisoning but this does not look likely now
December 12, 2013 at 10:45 pm #53724
Well keep us posted on what you find out is the true reason. Don’t forget to research the IP/Network your infected system was trying to connect with. It might be worth blacklisting the IP and possibly network depending on what you find out.
December 14, 2013 at 7:46 pm #53725
..Palo shows two packets of data coming from the host every two hours hitting two external IP addresses. The machine is unplugged and this is still happening. It is certainly the correct host as when it is turned on it is pingable when I turn it on.
I am going to try and run wireshark on the host and capture these two packets that are coming out, although leaving wireshark on for 2 hours+ may fill up the hard drive!
December 16, 2013 at 10:28 pm #53726
I think you need to pin-point where on your network this traffic is coming from? Specifically you need a MAC and what port on your switch the traffic is coming through. If you truly have that computer physically disconnected from the network, then it would not be coming from that computer. You said you’re seeing traffic from the computer about every two hours, well are you leaving the computer completely disconnected long enough to know 100% it wasn’t being logged when you reconnect it?
Without being able to see the firewall logs and some wireshark captures, then it’s pretty hard to say. Based off the little we know, it does sound a little like a spoof of sorts, but I would not say that for certain as there could be a lot more going on than what you’re explaining.
Your first post made it kind of sound like a physical setup, but I better ask. Is this a virtual machine and VM-firewall setup or physical systems?
December 17, 2013 at 8:13 pm #53727
We resolved it and you were bang on the money. It was IP spoofing which had obviously originated from when the host was infected. The true host was an external IP address spoofing the original internal address. Due to this, the firewall was saying it was coming from the host (trust) to the internet (untrust). The firewall was dropping the packets but it was a bit of a head scratcher! Thank you all for your excellent help
December 18, 2013 at 11:29 am #53728UKSecurityGuyParticipant
Well done for finding the answer – but that’s confused me slightly.
You’re saying that the attacker was sending traffic from outside your firewall to it, using an internal address, and thus the firewall was alerting on it?
Do you have internet routable addresses used internally? I can’t see how an internal address would route across the internet reliably (I’ve seen it done occationally on badly configured routers).
The only other option I can think of is that you have a 2nd compromised machine that is spoofing the original machine’s IP address, and that 2nd machine is being controlled from the internet.
December 18, 2013 at 1:04 pm #53729
What happened is that the firewall was blocking the traffic on the rule ‘incoming traffic xyz’ which is defined in our network as coming from the outside-untrust to the inside-trust. The rest of the log however reported the data coming from trust to untrust. In conclusion we thought it must be the external attacker spoofing an internal address, hence it is matching the rule ‘incoming traffic xyz’
You must be logged in to reply to this topic.