ich habe unten stehende Warnung erhalten. Die betroffene IP ist ein ganz normales Server auf dem LAMP-Server (Debian Squeeze) auf dem einige Webs laufen.
Leider können wir das Problem nicht wirklich nachvollziehen. Meines Wissen nistet so so ein Trojnaer auf Windows-PCs ein, aber nicht auf Linux-Servern. Offenbar wurde aber festgestellt, das von diesem Server aus eine ausgehende TCP-Verbindung auf Port 80 zur Sinkhole-IP 82.165.38.206 erfolgt ist. Leider ist völlig unklar, wie dies erfolgen kann. Gibt es hierfür Ideen/Anregungen?
IP Address xx.xx.xx.xx is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.
This IP address is infected with, or is NATting for a machine infected with "Gameover Zeus" or "GOZ" - previously it has been referred to as "ZeusV3" or "p2pzeus". GOZ is a version of the ZeuS malware that uses peer-to-peer (P2P) command and control mechanisms.
SpamHaus/the CBL is assisting the US Department of Justice (DOJ), Federal Bureau of Investigation (FBI), numerous other international law enforcement agencies and many private security organizations around the world in an operation to disrupt and mitigate the GOZ and cryptolocker botnets. This is not expected, by itself, to destroy these botnet. But it will disrupt them, and give people a chance to eradicate much of these infections.
This is the US Department of Justice Announcement and FBI Press Release. A similar alert has been published by the UK National Crime Agency (NCA).
The most important/up-to-date mitigation information is published by the US CERT.
ZeuSv3 takes advantage of P2P techniques by communicating with other nodes (=infected computers) on high ports (UDP and TCP).
How to find an infected computer behind a NAT
Please read the following section in its entirety.
NEW! The Gameover Zeus/Tovar project has set up a "lighthouse IP". The lighthouse IP has been set up to help administrators find the Gameover Zeus infection on NAT networks. The theory is simple: every time an infected PC attempts to connect to a Command&Control sinkhole (see below for a partial list), the infected PC willalso send a UDP packet to IP address 72.52.116.52 on port 4643 (though we suggest logging all ports). By configuring that address into your firewall, you can log which local IP address is attempting to contact 72.52.116.52, and thereby find and remediate the infection.
If you are connected to us via a computer you believe may be infected, this link should help confirm your suspicion:Online Gameover Zeus Detector
REMEMBER Gameover Zeus DOES NOT communicate over port 25 at all. It has nothing to do with email. Do not waste your time fiddling around with port 25 firewall rules.
To find an infected computer on a NATted LAN you are searching for a local machine that is trying to make connections to a Zeus Command and Control (C&C) server on the Internet. These C&C servers have been taken over by our partners and they are giving us reports about which IPs are trying to talk to them. It is those IP addresses that are infected.
If you have full logs of your firewall activity at the time this occurred, you can look in the logs for the time/sinkhole IP and destination port information given below.
If you do not have full logs, you will need to set up a sniffer or firewall rules to catch and log attempts to talk to the C&C.
NEW Instructions:
In more difficult situations where you're unsuccessful with the above, you can configure your firewall or sniffer to watch for TCP/IP sessions going from your LAN to the Internet where the destination port number is above 1000. If you see a local IP address making lots of connections to different IPs on the internet on ports > 1000, you have probably identified the infected machine - this is the peer-to-peer communications that your zeus infection is attempting to other zeus infections.
The technique described in the previous paragraph will work best if your LAN is quiet, or you can disconnect your LAN from the Internet for a short period.
The report for your IP indicates connections from/to TCP/IP IP address 82.165.38.206 (the sinkhole server address) with a destination port 80, source port (for this detection) of 47784 at exactly 2016-01-12 10:14:38 (UTC). All of our detection systems use NTP for time synchronization, so the timestamp should be accurate within one second.
See the paragraph below about Sinkhole IP addresses.
The above report may include some "n/a" - this means that our provider didn't make the information available to us. We are attempting to resolve this issue, but in the meantime we must make the best of the information we have. See the paragraph below about Sinkhole IP addresses.
When checking your logs remember that the source port changes every time a C&C attempt is made, so unless you have detailed firewall logs for the time the listing occurred, it's not worth looking for the source port.
One other way to find it, if you have your own DNS server and can configure it to log, you can check the logs for machines that are doing lookups of strange things. Gameover Zeus does lookups of very strange looking domains, like:
xbyycitohzwoxghaqubu.ru
dkvhnzdilfwhzizxczbqfydeus.ru
zlmfxgwgqdieahvsgtfylrcgufy.com
As you can see, it is a long string of gibberish, followed by a top level domain. ".ru" is very common, as are .co.uk and .biz or .info. Try scanning for a domain that's unlikely to be used much in your area (particularly .ru), and search for queries of gibberish names like this. The IP issuing the query will be the infected machine. Warning:in larger environments with multiple DNS servers, the IP address _may_ be from one of the other DNS servers.
Important note on Sinkholes IP addresses
A number of our data sources are having difficulties telling us the IP address of their sinkholes. Further, it is the nature of these botnets that they will be trying multiple sinkholes in sequence or in series, so if you concentrate on watching traffic for one sinkhole, you may miss the traffic to a different sinkhole. The list below is all of the Gameover Zeus and Cryptolocker sinkholes we know about, and when we last got a detection from them. it is suggested that you check traffic to all of these IP addresses, but, if you can only do one or two at a time, start with at the top and work downwards.
The temptation will be great to simply firewall off these IPs and ignore the problem without getting rid of the infection. This is a bad idea:
This list is not complete and there are new sinkholes being created as well so you will get relisted anyway.
By about June 13, the GOZ and Cryptolocker botnet will change to a new set of C&Cs that are controlled by the criminals. You do not want these botnets on your network when that happens.
Sinkhole IP
Last seen (UTC)
Age (Minutes)
142.0.36.234
Wed Jun 4 22:00:00 2014
844755
However, any process or host sending/receiving large numbers of UDP or TCP packets on high ports should be looked at closely.
Zbot/Zeus is a banking trojan, and specializes in stealing personal information (passwords, account information, etc) from interactions with banking sites through the use of "formgrabs". Zeus is also a common vector for downloading and controlling of Cutwail (email spambot) and Pushdo (DDoS).
Further (technical) information about this Trojan type can be obtained here:
fbi.gov - Malware Targets Bank Accounts
abuse.ch - FBI disrupts GameOver ZeuS and CryptoLocker Botnet
cert.pl - ZeuS P2P+DGA variant mapping out and understanding the threat