Finding Zeus Bot (Zbot) with Sophos UTM

Some weeks ago one of my customers first WAN IP (used for mail-out) was listed in a spam blacklist. SMTP internet-traffic was only allowed for the mailservers and there was no deny-packet for tcp 25 in the network logs. So I thought a bot used an Outlook client for spaming but I was wrong. Spamhaus.org XBL said, that the entry comes from cbl.abuseat.org:

spamlist-entry

One hour after the blacklisting, clb.abuseat.org said, that this IP is infected with ZBot:

cbl-entry

 

There were going connections to IP 87.255.51.229, a sinkhole for the ZBot. When you do a reverse DNS lookup you will see the name entry “this-domain-is-sinkholed-by.abuse.ch”. So this IP was once ago a real ZBot Command and Control Server (C&C). The provider or Spamhaus changed this to a sinkhole to find infected devices who are connecting to this IP. The server receives the packets like “Hello I’m a infected ZBot client, please tell what I have to do” but the server replies with a “connection refused”. After this, the sinhole tells spam-blacklists that the source IP of the packet is infected with Zeus Bot and your IP will be listed in a blacklist. To make this more visual, I made a Visio drawing:

zbot-visio

 

I searched via shell command for the IP 87.255.51.229 in the packetfilter.log placed in /var/log/:

more /var/log/packetfilter.log | grep 87.255.51.229

with this command, we found the infected notebook. You can remove the ZBot / Zeus Bot with Norton Power Eraser, but the better solution is to reinstall the complete operating system. You can finde more information about the ZBot here at the Symantec website.

 

5 thoughts on “Finding Zeus Bot (Zbot) with Sophos UTM

  1. Hi, We are currently looking for a UTm and Sophos is on the shortlist. But why doesn’t the UTM detect this and block the outgoing packets? This would the perfect Use Case for a UTm vs classic Firewall or not?

  2. Yes, i wonder why only now… Fortinet seems to do this for a while already (4 Years) 🙂
    Not sure yet what to choose…

    • Traffic with virus-infection is detected by Sophos UTM already, but we are speaking about malware, that communicate as a normal PC (for example a normal http connect to a server). Sophos UTM will be able to see this with hashes coming from the central Sophos cloud to recognize such traffic.

Leave a Reply

Advertisment ad adsense adlogger