Finding Zeus Bot (Zbot) with Sophos UTM

Some weeks ago one of my customers first WAN IP (used for mail-out) was listed in a spam blacklist. SMTP internet-traffic was only allowed for the mailservers and there was no deny-packet for tcp 25 in the network logs. So I thought a bot used an Outlook client for spaming but I was wrong. XBL said, that the entry comes from


One hour after the blacklisting, said, that this IP is infected with ZBot:



There were going connections to IP, a sinkhole for the ZBot. When you do a reverse DNS lookup you will see the name entry “”. So this IP was once ago a real ZBot Command and Control Server (C&C). The provider or Spamhaus changed this to a sinkhole to find infected devices who are connecting to this IP. The server receives the packets like “Hello I’m a infected ZBot client, please tell what I have to do” but the server replies with a “connection refused”. After this, the sinhole tells spam-blacklists that the source IP of the packet is infected with Zeus Bot and your IP will be listed in a blacklist. To make this more visual, I made a Visio drawing:



I searched via shell command for the IP in the packetfilter.log placed in /var/log/:

more /var/log/packetfilter.log | grep

with this command, we found the infected notebook. You can remove the ZBot / Zeus Bot with Norton Power Eraser, but the better solution is to reinstall the complete operating system. You can finde more information about the ZBot here at the Symantec website.


5 thoughts on “Finding Zeus Bot (Zbot) with Sophos UTM”

  1. Hi, We are currently looking for a UTm and Sophos is on the shortlist. But why doesn’t the UTM detect this and block the outgoing packets? This would the perfect Use Case for a UTm vs classic Firewall or not?

  2. Yes, i wonder why only now… Fortinet seems to do this for a while already (4 Years) 🙂
    Not sure yet what to choose…

    • Traffic with virus-infection is detected by Sophos UTM already, but we are speaking about malware, that communicate as a normal PC (for example a normal http connect to a server). Sophos UTM will be able to see this with hashes coming from the central Sophos cloud to recognize such traffic.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.