Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Quick question regarding - MALWARE-CNC Win.Trojan.ZeroAccess

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 3 Posters 10.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Rorinson
      last edited by

      Hi there,

      Hoping someone can help me out a little here.  I am new to pfsense, having built a new box a few days ago and have been learning as I go.  Having lots of fun thus far :)

      I have SNORT set up and active and have been watching the alerts for past few days.  Naturally quite a few false positives which I've been building a supress list from.

      However today I've caught the following in my logo which SNORT blocked.  First I've seen of any references to Trojans so wanted to get some clarification.

      UDP A Network Trojan was Detected 66.240.205.34
      sPort:  1066 / Dport:  16464
      SID:  1:31136
      MALWARE-CNC Win.Trojan.ZeroAccess inbound connection

      The IP:  66.240.205.34
      Which resolves to:  malware-hunter.census.shodan.io

      Am I safe in assuming that this is a false positive and was triggered by this Shodan search engine scanning ports or is it perhaps something a bit more sinister?

      There was nothing else in the log around this time connected to it.

      Thank you very much for any assistance.

      Mike

      1 Reply Last reply Reply Quote 0
      • A
        achillean
        last edited by

        Mike,

        We deployed some new code on our crawler "malware-hunter.census.shodan.io" (IP 66.240.205.34) that checks for various RAT Command & Control (C2) servers - in your case it was checking for a ZeroAccess C2. Here are the results which have been gathered for the past few hours on the ZeroAccess malware:

        https://www.shodan.io/search?query=product%3Azeroaccess

        I know some security products flag our crawlers as being infected by the RAT software since the crawlers essentially pretend to be infected but I can assure you that the Shodan servers aren't actually infected or trying to spread malware. And the request sent from our crawlers is simulating an infected client reporting back to its control center; i.e. it isn't performing an attack but rather letting the C2 know that it was successfully compromised. The data is being used to identify command & control servers on the Internet and shut them down. I apologize for the inconvenience!

        Best regards,

        -John

        1 Reply Last reply Reply Quote 0
        • P
          pfBasic Banned
          last edited by

          Something you might be interested in while learning pfSense and specifically IPS is pfMonitor. Check it out in the link.

          It is in Beta now, the developer is rolling out features rapidly. It lets you compare your firewall hits to other firewalls, gives notes and articles about new attacks and IP's and categorizes IP's so that you can figure out which attackers are serious or true attacks and which are just false positives.

          For example, this IP has over 1000 hits on my firewall, but none on any of the other firewalls in the program, which seems kind of strange to me, but probably is because I use a few custom rules that caught the IP (which it sounds like is a FP).

          It summarized all of the ports, and how many times that IP has hit my firewall when I searched it.

          It really has a ton of great data in it.

          I'll be writing up a review and a quick youtube video on it after I've had a chance to use it for a while and figure out all of its uses.

          https://forum.pfsense.org/index.php?topic=120972.0

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.