This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

I keep getting C2/Zbot-A false-positives

Advanced Protection of our UTM keeps flagging various internal machines with the C2/Zbot-A. These machines vary in OS (some are Windows 10 clients, some are Windows Servers from different years), but all are updated with the latest Defender definitions. I've even ran the Sophos AV on one machine to make sure it's clean, and found nothing.

The hosts are always internal IPs, while the destinations are either the UTMs internal host name or a public router seemingly owned by our ISP (ip-185-68-25-49.tempus.net.pl).

Is our ISP infected? Are WE infected and those aren't really false-positives? Or is UTM a bit too sensitive and flagging false positives all the time? I write "all the time" because the problem has been ongoing, and tends to happen a number of times each week. I've already tried creating a question about this before on these forums, but unfortunately haven't gotten a clear answer, so I've figured I'd try again (apologies if this is considered rude, but quite some time has passed).



This thread was automatically locked due to age.
  • Please provide more details about the messages you get.

    UTM recognize bot-traffic if device trying to communicating with a known Zbot-A host/server. Or via IPS pattern.

    If your system (or your internal DNS-Server) try to resolve DNS-Names associated with a Bot-server you may see the IP from DNS-Server ... not from infected host.

    You should ask yourself, why does an internal device communicate with ISP resources or the UTM?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Here's a sample email notification I'm getting:

    Advanced Threat Protection

    A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

    Details about the alert:

    Threat name....: C2/Zbot-A (SID: 26267)

    Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Zbot-A.aspx

    Time...........: 2019-03-14 15:31:15

    Traffic blocked: yes

    Source IP address or host: <host name of an internal laptop>  

    --

    System Uptime      : 1 day 18 hours 26 minutes

    System Load        : 0.62

    System Version     : Sophos UTM 9.601-5

    Please refer to the manual for detailed instructions.

    The send limit for this notification has been reached. No further notifications of this type will be sent during this period.

     

    And here's a log entry from Sophos itself:

    2019:03:13-14:13:29 firewall afcd[6868]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="185.244.30.173" dstip="10.150.1.10" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="uvgczsuidrtg.com" url="-" action="drop"
    2019:03:13-16:20:28 firewall afcd[6868]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="185.244.30.173" dstip="10.150.1.10" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="uvgczsuidrtg.com" url="-" action="drop"
    2019:03:13-18:08:03 firewall afcd[6868]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="185.244.30.173" dstip="10.150.1.10" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="uvgczsuidrtg.com" url="-" action="drop"

    The source IPs are external, the internal IPs are all behind the firewall and can't be accessed at all.

    Finally, here's the Advanced Threat Protection log from the Network Protection section:

    1
    185.244.30.173
    uvgczsuidrtg.com
    C2/Generic-A
    AFCd
    2019-03-13 14:13:29
    1
    20.00
    3
    42.86
    2
    10.150.1.40
    ip-185-68-25-49.tempus.net.pl
    C2/Zbot-A
    IPS
    2019-03-14 12:44:53
    1
    20.00
    1
    14.29
    3
    10.150.2.10
    ip-185-68-25-49.tempus.net.pl
    C2/Zbot-A
    IPS
    2019-03-14 12:44:54
    1
    20.00
    1
    14.29
    4
    10.150.4.4
    firewall.[our domain]
    C2/Zbot-A
    IPS
    2019-03-14 15:31:15
    1
    20.00
    1
    14.29
    5
    10.150.4.56
    firewall.[our domain]
    C2/Zbot-A
    IPS
    2019-03-14 12:44:53
    1
    20.00
    1
    14.29

    These are the most weird. The first entry has both the source and destination IP listing external stuff (and isn't related to the Zbot notifications). Entries 2 and 3 are from our internal network machines to our ISPs router. The final ones are from our internal machines to Sophos itself (using an internal-only DNS name).

    Again, I've ran checks on these machines to see if they are infected, and have not found anything, including installing the Sophos AV itself and I'm very confused (and somewhat worried)...

    EDIT:

    I just realized that the log files in Sophos (the actual TEXT log files) don't contain ANYTHING for the Zbot entries! The 3 records are for the "C2/Generic-A" detection and I checked a number of months back! Shouldn't these records be in the "Advanced Threat Detection" logs?

  • look to the IPS log.

    because you see "IPS" as event-source you should find more details here.

    The external to internal communtcation may be an answer-packet containing striking content.

    interesting are the protocolls used for communication (DNS/HTTP/...)


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Here's all I found (related to the entries above) in the IPS logs:

    2019:03:14-12:44:53 firewall snort[5508]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected" group="241" srcip="10.150.4.56" dstip="10.150.1.34" proto="17" srcport="58631" dstport="53" sid="26267" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
    2019:03:14-12:44:53 firewall snort[5508]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected" group="241" srcip="10.150.1.40" dstip="185.68.25.49" proto="17" srcport="53602" dstport="53" sid="26267" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
    2019:03:14-12:44:54 firewall snort[5508]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected" group="241" srcip="10.150.2.10" dstip="185.68.25.49" proto="17" srcport="64307" dstport="53" sid="26267" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
    2019:03:14-15:31:15 firewall snort[5508]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected" group="241" srcip="10.150.4.4" dstip="10.150.1.34" proto="17" srcport="55503" dstport="53" sid="26267" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
  • here you see 4 different hosts asking for the name of Zeus CNC Server.
    10.150.4.56
    10.150.1.40
    10.150.2.10
    10.150.4.4

    If one of these systems is an internal DNS Server, you should enable logging at this server and look for the orign of the DNS request.

    At the other you should try to clean/replace the system.

    A well-made virus / Trojan will not be visible to the scanner while the system is running.
    You can try to boot an offline scanner from CD.
    But ... we have seen a system where no virus can be found.
    After installing a new hard drive, the same operating system and all applications, the messages disappeared.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Two of these are internal DNS servers used primarily to local use (serving only as a backup for external DNS queries). They're both running Windows Server and, in theory at least, shouldn't have anything on them, since they were fairly recently reinstalled anyway. I'll see about enabling logging...

    EDIT: Hmm, I'm having a really hard time enabling logging on our Windows Servers for some reason. Anyway, that's for me to solve. I was wondering, since the UTM also acts as a DNS forwarder, any chance to get logs for that? I know I can use TCPDUMP but I don't want to leave a console window running forever - I need an actual log for when a hit finally happens to be able to check what's going on.

  • Cześć Mateusz,

    Agreed with Dirk, these are not false positives.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • because your internal clients don't ask the Sophos Sg directly but the internal DNS servers, the SG only sees the internal DNS servers as source.

    You should check the logfiles form your internal DNS-Server.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hmm, this is highly disconcerting.

    I'll probably reconfigure the DNS settings so that the UTM is the only DNS server for external addresses. That should make it easier to figure out where the culprits are.

    I'm not sure what the next step should be, however. A nuke-from-orbit on the identified machines is, of course, a possibility. But I would prefer it if I could selectively remove the problem, rather than do a whole reinstall. I'm also a bit worried how this came to be. Well, someone clearly installed something they weren't supposed to on their machine, this much is obvious, but I'd like to know what exactly that person did - it's very unlikely someone installed anything malicious on purpose, so finding the offending application / action might be difficult... But the machines are all running latest Defender updates... (Yes, I know Defender isn't the best, but it's not the worst either.)

  • Mateusz , what happens if you boot the devices from a Kaspersky Rescue Disk?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA