IP infected with Conficker A or Conficker B botnet as stated by spamhaus.org

Dyop_Geop · ‎06-15-2014

We have a fortigate 100D setup. All LAN Traffic are with Antivirus, Webfilter, App Ctrl, IPS, email filter enabled. The public ip address is always being listed in spamhaus.org.

" X.X.X.20 is listed in the XBL, because it appears in: CBL"

" IP Address X.X.X.20 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet. It was last detected at 2014-06-16 00:00 GMT (+/- 30 minutes), approximately 2 hours ago. It has been relisted following a previous removal at 2014-06-13 14:18 GMT (2 days, 12 hours, 2 minutes ago) This IP is infected (or NATting for a computer that is infected) with the Conficker A or Conficker B botnet."

For some reason the antivirus/IPS are not detecting the conficker virus. What else to do please?

Dyop_Geop · ‎06-15-2014

Please see additional screenshots from spamhaus.org

Dave_Hall · ‎06-16-2014

For some reason the antivirus/IPS are not detecting the conficker virus.

This really doesn' t tell us much in the way of what firmware you are running on the 100D nor what actual signatures are selected. Not in front of a fgt device to confirm, but I recall under 5.0.x firmware you need to enable the block connections to botnet servers under the various UTM profiles. Under 4.0. MR3 (and 5.0.x) botnet detection is enabled under application control -- create a new app sensor that blocks botnet. Use the search link (at the top of this page) -- we recently had a similar discussion on conficker, including basically just blocking the ports used by it.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

Dyop_Geop · ‎06-19-2014

Hi Sir Dave, Thanks for the reply. please see attached pictures to know if these can answer your questions. I' ve already searched the topics in the forums and can' t find a viable solution.

Dyop_Geop · ‎06-19-2014

pic2 Do i have to block all these botnet from application control?

Dyop_Geop · ‎06-19-2014

pic3

ede_pfau · ‎06-19-2014

Just to give you a second opinion: 1 - upgrade to 5.0.7 ASAP! You' re running 5.0 GA which is full of glitches, and worst of all, features the Heartbleed bug. 2 - Yes, specify all botnet signatures (kind of) in that category. I noticed you didn' t enable the Risk column. Just enable all these options and watch the AppControl log. 3 - this UTM profile is applied to the correct policy? ' internal' -> ' WAN' for all traffic that might be used for a botnet: HTTP(S), DNS (!) Especially DNS can be used to tunnel traffic out. I' ve got an additional AppControl sensor applied to DNS-only traffic to stop tunneling (after I saw gigabytes crossing that DNS-only policy!!).

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Dyop_Geop · ‎06-19-2014

Hi ede_pfau, thanks for your time in replying to my problem. 1. First, this is the firmware version that I installed, FGT_100D-v500-build4429-FORTINET Isn' t this the latest firmware for v5.0 as seen in https://support.fortinet.com/Download/FirmwareImages.aspx ? 2. I believe the risk column that you saw that isn' t checked is a filter for the applications. If i checked that, the shown botnets are still the same. 3. yep, this UTM Profile is applied to LAN>WAN policy, with services set to ALL.

rwpatterson · ‎06-20-2014

An quick aside:

ORIGINAL: ede_pfau ... (after I saw gigabytes crossing that DNS-only policy!!).

If your DNS policy source is only your DNS servers, then this may not be so large an issue, UNLESS your DNS servers were compromised... If you don' t run your own internal DNS, then this is something to keep an eye on for sure.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Dave_Hall · ‎06-19-2014

Do i have to block all these botnet from application control?

Pretty much, though your screenshot shows you setting the action to monitor, which you do not want. Set it to block.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C