The computers are infected by "drive-by download" attacks:
- People who download and execute suspicious programs (ActiveX, Java applet...) without understanding the consequences.
- Downloads that happening without user authorization (malware, browser exploits...).
ZeroAccess want to make money through pay per click advertising using click fraud which is a very lucrative business.
We don't want to analyze this Trojan. I want to show you how you can detect it with Fortigate Firewalls and Snort over Ossim without Antivirus.
This Trojan used port 16464/udp, but I have also seen traffic on the ports 16465/udp, 16470/udp and 16471/udp. You need to deny and log this traffic to detect it.
First it's necessary to create a Custom service.
Then you need to create a policy rule at the top of your policies.
Finally It's necessary to watch your logs and locate the ID of this policy rule. In the log you will see the infected source IP.
If you are working with Ossim & Snort, you should add the next rules into your policies.
First, go to "Policy & Actions" and click on "Trojan".
Type ZeroAccess and add all of the Snort results.
Finally go to Analysis --> Security Events and search the Signature ZeroAccess.
That's awesome Javier! None of the security sites provided any useful port information, but you nailed it. Thank you for helping me to detect the computer that was infected with zeroaccess.
ReplyDeleteIn desperation (for a short time) it is also possible to just tell windows firewall to only allow those ports to communicate with the local IP number, killing all external traffic.
ReplyDeleteThank you Javier!!
ReplyDeleteYou helped me nail this down quick! Luckily it's only a single PC on my LAN that was infected.