Monday, January 28, 2013

Finding Zeus P2P on Your Network

Last week a client got a nasty surprise when their Internet access was blocked by their ISP because the Zeus P2P virus had been detected from their IP address. Because all computers share the same IP address through NAT (network address translation), all of the computers were blocked.

All of the computers at this site have up to date commercial antivirus software. But obviously Zeus P2P got past it. I'm noticing that this is becoming quite common. We see viruses getting in all the time through web pages, links in spam messages, and attachments to spam messages.

After doing some research, it turns out that Zeus P2P typically communicates with UDP ports 10,000 and up. The best way to find specific network traffic is by using a packet sniffer. However, you can't use a packet sniffer effectively on switched networks unless your switch has a basic level of management capabilities and supports port mirroring.

I configured the switch for this company to mirror traffic from the port that the DSL modem was attached to another port that was connect to my laptop. On my laptop, I started Wireshark. I initially tried using Microsoft Network Monitor, but it wasn't capturing traffic in promiscuous mode. Promiscuous mode is required to see packets from computers other than the computer that the packet sniffer is running on.

After running Wireshark, I saw the offending network traffic almost immediately. You can see that a single UDP packet comes in and then the infected computer sends outbound traffic to many other computers via UDP. I assume the first packet contains the list computers to contact, but I think the content of the packets is encrypted in some way and the data in the packet is not immediately understandable.


The virus was loading in the user profile and was removed by Malwarebytes Antimalware. Just to be safe, I took the drive offline and scanned it externally. This found several java downloaders which were also removed.

After several days of monitoring I think we are all good and this was the only instance.

More information about the Zeus P2P virus:
UPDATE
There is a web page that shows you the command and control computers that ZEUS connects to. You can use this information to configure blocking on your firewall or proxy and monitor attempted communication to the ZEUS command and control servers. If you see the computer that is making the attempt, you've found your infected computer.
UPDATE 2
Had another client with a similar issue yesterday. The ISP indicated is was ZEUS P2P, but it was not using high UDP ports. The firewall showed the PC doing a lot of connectivity on UDP port 53. This may be an attempt to disguise the traffic to look like DNS lookups. Also, in this case, MalwareBytes did not completely remove it. We ended up wiping the PC.

Monday, January 21, 2013

Goodbye Forefront

I've not been a big user of the Microsoft Forefront products. I've tended to use competing products either in software for antispam/antivirus or hardware for firewalling/reverse proxy. However, Forefront Protection for Exchange seemed to get a fair amount of traction with people that implemented Exchange Edge Transport servers.

In September, Microsoft announced that many of the Forefront products are being discontinued. As of December 1, 2012, most cannot even be purchased anymore.

See the official announcement here:
See an explanation from a former employee here:
So, if you were using some of these products, where do you go from here......

  1. Forefront Protection for Exchange. If you are comfortable outsourcing email scanning then you can use Forefront Online Protection for Exchange. The online service then becomes your SMTP relay instead of an Edge Transport server. Otherwise, you get a different on-premises antispam/antivirus solution.
  2. Forefront Threat Management Gateway. In some scenarios, Forefront TMG may be replaced by Forefront Unified Access Gateway (UAG). Forefront UAG is not being retired. If Forefront UAG is not suitable for you, then you need to find an alternative product. In many cases, your firewall vendor has similar functionality embedded in their product.
  3. Forefront Endpoint Protection. This product continues to exist but has been integrated into System Center 2012. You can now view and manage Endpoint Protection from within Configuration Manager.

Thursday, January 10, 2013

VDI Deployment Error About Virtual Switch

Today in class, we were testing out virtual desktop infrastructure deployment (VDI). Microsoft's VDI infrastructure is designed to allow users to have virtual desktops. Due to the restraints of our classroom environment all of the computers were unplugged from the network. As a consequence, in Hyper-V the external network was not up. This resulted in the following error during the creation of a collection:
Server computer.domain.com either does not have a virtual switch configured or none of the configured virtual switches have an IP address assigned
In our environment the computers all had the same external IP address and could not be reconnected to the network at the same time. The simplest short term solution was to connect each computer to a small switch that had no other connectivity. This brought up the link light on the external NIC and allowed the creation of the collection to complete.

This is unlikely to be a concern in any type of real life environment because those will have the external NIC connected at all times. However, it may occur when you are in a test environment and are trying to isolate from the production environment.