Quick question regarding - MALWARE-CNC Win.Trojan.ZeroAccess



  • Hi there,

    Hoping someone can help me out a little here.  I am new to pfsense, having built a new box a few days ago and have been learning as I go.  Having lots of fun thus far :)

    I have SNORT set up and active and have been watching the alerts for past few days.  Naturally quite a few false positives which I've been building a supress list from.

    However today I've caught the following in my logo which SNORT blocked.  First I've seen of any references to Trojans so wanted to get some clarification.

    UDP A Network Trojan was Detected 66.240.205.34
    sPort:  1066 / Dport:  16464
    SID:  1:31136
    MALWARE-CNC Win.Trojan.ZeroAccess inbound connection

    The IP:  66.240.205.34
    Which resolves to:  malware-hunter.census.shodan.io

    Am I safe in assuming that this is a false positive and was triggered by this Shodan search engine scanning ports or is it perhaps something a bit more sinister?

    There was nothing else in the log around this time connected to it.

    Thank you very much for any assistance.

    Mike



  • Mike,

    We deployed some new code on our crawler "malware-hunter.census.shodan.io" (IP 66.240.205.34) that checks for various RAT Command & Control (C2) servers - in your case it was checking for a ZeroAccess C2. Here are the results which have been gathered for the past few hours on the ZeroAccess malware:

    https://www.shodan.io/search?query=product%3Azeroaccess

    I know some security products flag our crawlers as being infected by the RAT software since the crawlers essentially pretend to be infected but I can assure you that the Shodan servers aren't actually infected or trying to spread malware. And the request sent from our crawlers is simulating an infected client reporting back to its control center; i.e. it isn't performing an attack but rather letting the C2 know that it was successfully compromised. The data is being used to identify command & control servers on the Internet and shut them down. I apologize for the inconvenience!

    Best regards,

    -John


  • Banned

    Something you might be interested in while learning pfSense and specifically IPS is pfMonitor. Check it out in the link.

    It is in Beta now, the developer is rolling out features rapidly. It lets you compare your firewall hits to other firewalls, gives notes and articles about new attacks and IP's and categorizes IP's so that you can figure out which attackers are serious or true attacks and which are just false positives.

    For example, this IP has over 1000 hits on my firewall, but none on any of the other firewalls in the program, which seems kind of strange to me, but probably is because I use a few custom rules that caught the IP (which it sounds like is a FP).

    It summarized all of the ports, and how many times that IP has hit my firewall when I searched it.

    It really has a ton of great data in it.

    I'll be writing up a review and a quick youtube video on it after I've had a chance to use it for a while and figure out all of its uses.

    https://forum.pfsense.org/index.php?topic=120972.0


Log in to reply