Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 7290 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Zbot-A - false positives or actual infection?

Mateusz Bender

Every once in a while I get a hit in Advanced Threat Protection for C2/Zbot-A. Those are single hits, with pretty benign destinations (usually targetting one of the DNS servers used by our infrastructure).

The first time it happened I scanned the specific machine UTM pointed at and found nothing, and I was sure this was a false positive. However, this keeps coming back - not frequently, mind you, just... once every 2 weeks or so there's another hit.

Is this a false positive? I THINK it's all false positives, because of the following:

C2/Zbot-A will be reported in the following two scenarios:

  • Sophos detecting C2/Zbot-A on a configuration file downloaded from the C&C server. The detection may occur on an infected endpoint or on the network (for example the Sophos web appliance or UTM).
  • Sophos blocking network traffic (reputation or IPS filtering), where the remote server is reported to be a Zbot C&C server.

Am I right that these are all false positives, or should I be worried? If these ARE false positives, is there any way to prevent this from happening? Getting a warning on a weekend when I'm trying to relax is really not helpful. ;)



This thread was automatically locked due to age.
  • 0

    What's the IP of the remote server, Mateusz?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I take it you mean the "destination" data of the Advanced Threat Protection? Well, here's the thing, these always contain fully qualified names (never IP addresses). In a LOT of cases it's... the UTM's internal DNS name. In a few other cases it's our ISPs servers ("static.tempus.net.pl" or "ip-185-68-25-49.tempus.net.pl").

  • 0 in reply to Mateusz Bender

    Hmm, so... shameless bump...

    I'm still getting those warnings every now and again, and I still don't know what to do about them... :( Any suggestions?

  • 0 in reply to Mateusz Bender

    From my experice it depends on the blocking method (Firewall / IP, URL or DNS Lookup).

    While URL's or DNS lookups usually points to very specific malicious domains, they are most likely really malicious.

    If as block reason the IPTables IP Blicklist triggers, it also might be any other application having traffic to a potentially infected IP address. This might happen with P2P applications as bittoreent, emule, etc., or sometimes also a legitimate visit on a URL which might be partly infected.

    Otherwise blocked lookups to domains as xxjiardhjposaihf.ru and similar strange names usually are a string indicator for an infection, blocked IP connections to an IP u.v.w.x *could* indicate an infection, but also might be a FP due an accidential access due other legitimate reasons.

    /Sascha

  • 0 in reply to SaschaParis

    Hi, thanks for the reply. Unfortunately, this... doesn't really help much.

    Here's the email I'm getting and the log in Sophos:

    Advanced Threat Protection

     

    A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

     

    Details about the alert:

     

    Threat name....: C2/Zbot-A (SID: 26267)

    Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Zbot-A.aspx

    Time...........: 2018-07-02 09:13:28

    Traffic blocked: yes

     

    Source IP address or host: <our internal .LOCAL domain name>

           

    --

    System Uptime      : 86 days 16 hours 5 minutes

    System Load        : 0.58

    System Version     : Sophos UTM 9.509-3

     

    Please refer to the manual for detailed instructions.

     

    The send limit for this notification has been reached. No further notifications of this type will be sent during this period.

    View of the ATP main screen:

    1 10.150.4.58 C2/Zbot-A <internal sophos URL> 1 IPS
    2 10.150.1.16 C2/Zbot-A google-public-dns-a.google.com 1 IPS
    3 10.150.4.58 C2/Zbot-A <internal sophos URL> 2 IPS
    4 10.150.4.37 C2/Zbot-A <internal sophos URL> 1 IPS
    5 10.150.4.77 C2/Zbot-A <internal sophos URL> 1 IPS
    6 10.150.1.25 C2/Zbot-A static.tempus.net.pl 2 IPS
    7 10.150.1.16 C2/Zbot-A static.tempus.net.pl 2 IPS
    8 10.150.1.25 C2/Zbot-A ip-185-68-25-49.tempus.net.pl 2 IPS
    9 10.150.1.16 C2/Zbot-A ip-185-68-25-49.tempus.net.pl 3 IPS
    10 10.150.4.59 C2/Zbot-A <internal sophos URL> 1 IPS

     Note that the URLs are rather sensible. "Tempus" is our ISP.

     

    As you can see, none of the target URLs are in any way suspicious. These aren't strange .RU sites, or weird URLs in the slightest. Most are our own, INTERNAL, UTM address, while others are our ISPs servers or... just plain old Google...

Unfiltered HTML