Monday, January 28, 2013

Finding Zeus P2P on Your Network

Last week a client got a nasty surprise when their Internet access was blocked by their ISP because the Zeus P2P virus had been detected from their IP address. Because all computers share the same IP address through NAT (network address translation), all of the computers were blocked.

All of the computers at this site have up to date commercial antivirus software. But obviously Zeus P2P got past it. I'm noticing that this is becoming quite common. We see viruses getting in all the time through web pages, links in spam messages, and attachments to spam messages.

After doing some research, it turns out that Zeus P2P typically communicates with UDP ports 10,000 and up. The best way to find specific network traffic is by using a packet sniffer. However, you can't use a packet sniffer effectively on switched networks unless your switch has a basic level of management capabilities and supports port mirroring.

I configured the switch for this company to mirror traffic from the port that the DSL modem was attached to another port that was connect to my laptop. On my laptop, I started Wireshark. I initially tried using Microsoft Network Monitor, but it wasn't capturing traffic in promiscuous mode. Promiscuous mode is required to see packets from computers other than the computer that the packet sniffer is running on.

After running Wireshark, I saw the offending network traffic almost immediately. You can see that a single UDP packet comes in and then the infected computer sends outbound traffic to many other computers via UDP. I assume the first packet contains the list computers to contact, but I think the content of the packets is encrypted in some way and the data in the packet is not immediately understandable.


The virus was loading in the user profile and was removed by Malwarebytes Antimalware. Just to be safe, I took the drive offline and scanned it externally. This found several java downloaders which were also removed.

After several days of monitoring I think we are all good and this was the only instance.

More information about the Zeus P2P virus:
UPDATE
There is a web page that shows you the command and control computers that ZEUS connects to. You can use this information to configure blocking on your firewall or proxy and monitor attempted communication to the ZEUS command and control servers. If you see the computer that is making the attempt, you've found your infected computer.
UPDATE 2
Had another client with a similar issue yesterday. The ISP indicated is was ZEUS P2P, but it was not using high UDP ports. The firewall showed the PC doing a lot of connectivity on UDP port 53. This may be an attempt to disguise the traffic to look like DNS lookups. Also, in this case, MalwareBytes did not completely remove it. We ended up wiping the PC.

1 comment:

  1. Very useful blog post. Thank You. Our customer had a similar issue as well however Wireshark picked up a lot of http connections.

    ReplyDelete