This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion protection alert for DNS Servers, Win.Ransomware.BadRabbit

Hello folks

I reveive the following error from several of our sites and IPSEC partners:

2017:11:13-11:04:04 sg330a-2 snort[32130]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop"

reason="MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt" group="500" srcip="192.168.60.113" dstip="172.20.1.2"

proto="6" srcport="53006" dstport="445" sid="44649" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"

The dstip ist always a internal Windows 2016 DNS Server and the dstport ist always 445.

Why is this going to the DNS Servers?

We put an infpub.dat and a cscc.dat file in the Windows Root as explained here: https://www.cybereason.com/blog/cybereason-researcher-discovers-vaccine-for-badrabbit-ransomware?hs_amp=true None of the users has admin rights. I doubt that so many computer are infected.

This thread was automatically locked due to age.

0 BAlfson over 6 years ago

What did Sophos Support have to say about this?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 mjpmotw over 6 years ago in reply to BAlfson

Thank you Bob, I never contacted the support as I thought, maybe the community can help.
Cancel
Vote Up 0 Vote Down

Cancel