Who is causing IP to be listed on CBL because of Gozi Trojan?



  • I am using pfsense just as router and firewall for incoming trafic. But not the WAN IP is listed due to outbound trafic caused by Gozi Trojan.

    I have never looked into analyzing outbound trafic. So starting from scratch…. Is there a package or feature that can block outbound malicious trafic and log it so I can find local infected machines?

    thanks



  • :o    Quite the beast you think you may have. Link below will help you know the animal you are looking for including what to look for in a packet capture. They have also written a SNORT rule for detection.  You may be dealing with a newer variant.
    https://www.secureworks.com/research/gozi



  • @Tillebeck:

    I am using pfsense just as router and firewall for incoming trafic. But not the WAN IP is listed due to outbound trafic caused by Gozi Trojan.

    I have never looked into analyzing outbound trafic. So starting from scratch…. Is there a package or feature that can block outbound malicious trafic and log it so I can find local infected machines?

    thanks

    If you want to indentify the infected machine on your LAN, then install the Snort package and configure your LAN as the interface to run it on.  This way any alerts generated by machines on your LAN will show up with their native LAN IP address.  If you run Snort on your WAN, it will only see your outbound internal traffic after NAT rules have been applied, so all internal LAN hosts will show up as having the WAN interface IP.  That won't be helpful with locating the infected internal host.

    If you have never used an IDS/IPS before, there some "getting started resources" in the Sticky Topics at the top of the IDS/IPS sub-forum within the Packages forum here.  There is also documentation on the pfSense Wiki for Snort.

    Bill



  • Thanks. I have found a guide on how to install/configure SNORT. Never tried. It will be fun :-)

    Best regards, Anders


Log in to reply