Event Log Managment

Logs .. Logs and More Logs

Tracking down ZeroAccess botnet

Normally I focus on the Windows Event Log, but today I’m going to stray into the world of firewall logs.  Over the last several months I’ve been helping customers with Proof of Concepts for LogRhythm and one the things that I have found with several of my customers has been the ZeroAccess botnet.  It’s actually very easy to track down.  One of the rules that the LogRhythm Labs has setup and comes out of the box is focused on finding any ZeroAccess bots, see fig 1.

ZeroAccess AIE Rule

Fig 1.

ZeroAccess is a peer-to-peer botnet operating over ports 16464, 16465, 16470, or 16471.  Each infected host maintains a list of 256 peers that it attempts to connect to over these ports.  Once communications are established payloads and instructions are transferred through the peers.

A simple Unique Values AIE rule was configured that looked for network connections on the appropriate ports, originating from a single host and trying to communicate with 100 or more unique hosts.  Since each infected host attempts to connect to 256 peers, 100 unique hosts was a good number, as it minimizes false positives that might be generated should a host attempt legitimate communications over any of those ports.

http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf

http://www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-New_CC_protocol_ZeroAccess-final2.pdf)

Advertisements

October 29, 2013 Posted by | Audting, Hacking, ZeroAccess | Leave a comment