.

Malware routing

<<

ccpik1

Newbie
Newbie

Posts: 11

Joined: Fri Nov 29, 2013 8:59 am

Location: North West

Post Wed Dec 11, 2013 2:13 pm

Malware routing

I have an unusual problem I was wondering if anyone could shed some light on.

I had an infected host with a zeroaccess trojan. This host machine has been rebuilt and formated but the firewall logs are still coming back as the host is sending data to and from a remote address.

I then unplugged the cable from it so there is not even any rooting it its vlan anymore. The firewall still reports data to and from it?

How is this possible? IP address spoofing? ARP poisoning? ???
<<

triznut

User avatar

Newbie
Newbie

Posts: 20

Joined: Wed Feb 04, 2009 3:55 pm

Post Wed Dec 11, 2013 2:26 pm

Re: Malware routing

Can you explain the firewall setup a little more? Are we talking about a dedicated firewall device or just the built-in firewall on Windows or some other software firewall? Also, you said you unplugged the cable (assuming network), but have you made sure there is no wireless or other network connection to the system in question? Depending on where that firewall is located will make a difference on how to answer...

Maybe you could post an example from your firewall log and mask any sensitive information out of it?
<<

ccpik

User avatar

Newbie
Newbie

Posts: 16

Joined: Fri Nov 29, 2013 6:41 am

Post Wed Dec 11, 2013 2:51 pm

Re: Malware routing

Thank you for the reply. It is a dedicated Palo firewall. There is also no wireless on the host. It is 100% disconnected to the network.

Basically it is:

Firewall
|
Switch
|
Host

I will work on the logs but basically I see the rogue host on the network IP address going to an outside IP address (part of the botnet I presume).

I have set Palo to drop zeroaccess, which it is doing, but would like to get to the root of this ideally.

I cant figure out how a host that did exist but now does not can still be showing in the logs that it is sending and receiving data even though it has lost all connectivity to anywhere.
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Wed Dec 11, 2013 3:28 pm

Re: Malware routing

I'm not familiar with Palo Alto firewalls. Do the logs show the IP address or hostname?
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

ccpik

User avatar

Newbie
Newbie

Posts: 16

Joined: Fri Nov 29, 2013 6:41 am

Post Wed Dec 11, 2013 3:30 pm

Re: Malware routing

It shows the IP address
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Wed Dec 11, 2013 4:34 pm

Re: Malware routing

After the machine was rebuilt and formatted does it still have the same IP address?
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

ccpik1

Newbie
Newbie

Posts: 11

Joined: Fri Nov 29, 2013 8:59 am

Location: North West

Post Wed Dec 11, 2013 4:38 pm

Re: Malware routing

It did have but now is off the network physically and no host exists on that IP and the traffic is still flowing to and from. Which is why I thought IP spoofing from another host or ARP poisoning but I do not think zeroaccess trojan is capable of that
<<

triznut

User avatar

Newbie
Newbie

Posts: 20

Joined: Wed Feb 04, 2009 3:55 pm

Post Wed Dec 11, 2013 5:38 pm

Re: Malware routing

Well if you're certain it's unplugged from the network, then there is no way it's coming from that system. Can you run a network sniffer (like Wireshark) on your network? Maybe you can capture a MAC address as well and then go to the switch to see where it may be connected on the network.

Also, make certain your time is synched properly between all device on the network and make sure there is no way those are old log entries in the firewall from when the system was connected to the network (post cleaning) or something of that nature.
<<

ccpik

User avatar

Newbie
Newbie

Posts: 16

Joined: Fri Nov 29, 2013 6:41 am

Post Wed Dec 11, 2013 5:52 pm

Re: Malware routing

Thanks a lot, I will try those things and update tomorrow
<<

triznut

User avatar

Newbie
Newbie

Posts: 20

Joined: Wed Feb 04, 2009 3:55 pm

Post Wed Dec 11, 2013 10:51 pm

Re: Malware routing

ccpik1,

You should also do some research on the IP address(es) the "rouge" host on your network is trying to connect with. There is plenty of resources online to determine if it's connecting back to a malicious host/network.

I'm curious how you determined your host was infected with the zeroaccess trojan?
<<

ccpik1

Newbie
Newbie

Posts: 11

Joined: Fri Nov 29, 2013 8:59 am

Location: North West

Post Thu Dec 12, 2013 4:09 am

Re: Malware routing

Palo recognizes the zeroaccess.gen signature, it has it in its database. Going to try and get a packet capture later
<<

UKSecurityGuy

User avatar

Jr. Member
Jr. Member

Posts: 88

Joined: Wed Mar 27, 2013 10:51 am

Post Thu Dec 12, 2013 4:55 am

Re: Malware routing

I had something similar a while back.

I'd suggest that what you're seeing is another host with a duplicate IP address causing the problems. How are IP addresses set out in the organisation, DHCP or static?

The way I tracked this down (On Cisco kit) on a routed network was to get the IP address from the firewall and trace it down to its last routing hop. Then in the router logs check the IP/MAC mappping, and which VLAN the MAC is coming in from.

Then it's a matter of backwards logging onto the switches to determine which switchport is mapped to the MAC address in question, and then cable trace that switchport.

I think what you'll find is that someone has setup a static IP in your DHCP'd network for some old piece of kit that you didn't know about - and somehow it's been infected.
<<

ccpik1

Newbie
Newbie

Posts: 11

Joined: Fri Nov 29, 2013 8:59 am

Location: North West

Post Thu Dec 12, 2013 5:43 am

Re: Malware routing

Some very good ideas there thank you. I am in the process of checking these things out. I can't ping the host now as it has been removed from the network physically. So the logs on the firewall must either be out of sync or incorrect. I thought originally IP spoofing or ARP poisoning but this does not look likely now
<<

triznut

User avatar

Newbie
Newbie

Posts: 20

Joined: Wed Feb 04, 2009 3:55 pm

Post Thu Dec 12, 2013 5:45 pm

Re: Malware routing

Well keep us posted on what you find out is the true reason. Don't forget to research the IP/Network your infected system was trying to connect with. It might be worth blacklisting the IP and possibly network depending on what you find out.

Good luck!
<<

ccpik

User avatar

Newbie
Newbie

Posts: 16

Joined: Fri Nov 29, 2013 6:41 am

Post Sat Dec 14, 2013 2:46 pm

Re: Malware routing

Quick update...

..Palo shows two packets of data coming from the host every two hours hitting two external IP addresses. The machine is unplugged and this is still happening. It is certainly the correct host as when it is turned on it is pingable when I turn it on.

I am going to try and run wireshark on the host and capture these two packets that are coming out, although leaving wireshark on for 2 hours+ may fill up the hard drive!
Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software