snort-block - 1-31136 - Trojan.Zero.Access inbound - general confuses



  • Hello folks,

    I am getting the following Blocks / Alerts on my WAN Interface now for several Days:

    Description: MALWARE-CNC Win.Trojan.ZeroAccess inbound connection
    GID-SID: 1:31136
    Priority: 1
    Class: A Network Trojan was Detected
    src IPs: [multiple, changing at least after 2 attempts]
    dest IPs: WAN-Interface

    To be clear about this: as it seems it should not be passing WAN or even coming from LAN (as far as I can see...snort on WAN is blocking, on LAN not yet...I'm still working on this issue to minimize / work out false positives)

    I've checked my (main) Host several times, clean.

    First I thought it might be maybe initiated either by TV, Printer or especially my Android Phone in the local network. But it doesnt look to me like that...

    I captured several Packets (PacketCapture) now for about a Week.
    I'm not familiar with WireShark but installed it and just even checked shortly the last CAP via Display Filter for last 3 src IPs of these special Alerts.

    The three IPs are different but the MAC SRC seems always to be the same...? The OEM Part you can find down, but for first I won't post the unique ID of it. Anyway, the MAC must be spoofed as they are always the same but from several Geos, even Continents... At least from the last 3 different src IPs I shortly just checked the MAC's all the same (!)

    For "ETHERNET II" (below FRAME in WireShark) there are the following Infos:
    SRC: AvmAudio_00:e0:a5 (00:e0.a5:..:..:..) (followed by my WAN as DST)

    I've searched several days for the snort Alert and it ain't really got clear to me whether it really just are several IT SEC Professionals looking for CnC Servers (as claimed in a Post from a "seems-so" shodan*io Official 1Post User called "achillean" even in this Forum several years ago...) or not. Especially as I read that the Zero.Access Trojan itself shall be outdated (..? i doesn't look so...)

    I also checked several IPs on different IP Abuse Lookup Sites. Most claim not to know the IP while one other claims em all to be malicious.

    I don't mind to know about the high level wars on the web and I guess as a Newby I even don't want it either...but I want to know if any of my Devices is infected or not. Anyway, as I see it should be illegal to try to break into others Networks, so why should official IT SEC Organizations / Privatiers / Companys try now for about one Week to get into Networks?
    And yes...my IP's changing 24 hourly, but if a "scan / attack" starts there are at least 5-10 IPs triggering the alert within 1 or 2 hours, mostly in 2 up to 3 "blocks" a day...

    Anyway, I'd really be appreciated if you let me know about your experience especially with this PRIORITY:1 Trojan Inbound Alert mentioned above as it is the only PRIORITY1 Alert I get more than 1 time. But this one therefore that massively...

    So what is your oppinion? Are IT SECs searching bad guys or might any of my Devices at least be "ignitionally infected" (so maybe it got the ignited Infection but snort stopping servers from letting it download the rest of the shit..or so? It doesnt would make sense to me as LAN seems to be clear)

    Thank you so much!
    BSA66

    PS: I put it in General Discussion because I didn't knew where else to put it. If it is okay by Forum Policy I'll be appreciated to see it in the IDS/IPS subs as there should be maybe more ppl knowing about this special Alert. ;-)

    PPS: To be clear about this: as it seems to me it IS NOT yet in the LAN or "outbounded" Traffic as it is always INBOUND on WAN. And this is the only positive point I can figure in this issue out...