Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Dyop_Geop
New Contributor

IP infected with Conficker A or Conficker B botnet as stated by spamhaus.org

We have a fortigate 100D setup. All LAN Traffic are with Antivirus, Webfilter, App Ctrl, IPS, email filter enabled. The public ip address is always being listed in spamhaus.org.
" X.X.X.20 is listed in the XBL, because it appears in: CBL"
" IP Address X.X.X.20 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet. It was last detected at 2014-06-16 00:00 GMT (+/- 30 minutes), approximately 2 hours ago. It has been relisted following a previous removal at 2014-06-13 14:18 GMT (2 days, 12 hours, 2 minutes ago) This IP is infected (or NATting for a computer that is infected) with the Conficker A or Conficker B botnet."
For some reason the antivirus/IPS are not detecting the conficker virus. What else to do please?
18 REPLIES 18
Dyop_Geop
New Contributor

Please see additional screenshots from spamhaus.org
Dave_Hall
Honored Contributor

For some reason the antivirus/IPS are not detecting the conficker virus.
This really doesn' t tell us much in the way of what firmware you are running on the 100D nor what actual signatures are selected. Not in front of a fgt device to confirm, but I recall under 5.0.x firmware you need to enable the block connections to botnet servers under the various UTM profiles. Under 4.0. MR3 (and 5.0.x) botnet detection is enabled under application control -- create a new app sensor that blocks botnet. Use the search link (at the top of this page) -- we recently had a similar discussion on conficker, including basically just blocking the ports used by it.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Dyop_Geop
New Contributor

Hi Sir Dave, Thanks for the reply. please see attached pictures to know if these can answer your questions. I' ve already searched the topics in the forums and can' t find a viable solution.
Dyop_Geop
New Contributor

pic2 Do i have to block all these botnet from application control?
Dyop_Geop
New Contributor

pic3
ede_pfau
SuperUser
SuperUser

Just to give you a second opinion: 1 - upgrade to 5.0.7 ASAP! You' re running 5.0 GA which is full of glitches, and worst of all, features the Heartbleed bug. 2 - Yes, specify all botnet signatures (kind of) in that category. I noticed you didn' t enable the Risk column. Just enable all these options and watch the AppControl log. 3 - this UTM profile is applied to the correct policy? ' internal' -> ' WAN' for all traffic that might be used for a botnet: HTTP(S), DNS (!) Especially DNS can be used to tunnel traffic out. I' ve got an additional AppControl sensor applied to DNS-only traffic to stop tunneling (after I saw gigabytes crossing that DNS-only policy!!).
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Dyop_Geop

Hi ede_pfau, thanks for your time in replying to my problem. 1. First, this is the firmware version that I installed, FGT_100D-v500-build4429-FORTINET Isn' t this the latest firmware for v5.0 as seen in https://support.fortinet.com/Download/FirmwareImages.aspx ? 2. I believe the risk column that you saw that isn' t checked is a filter for the applications. If i checked that, the shown botnets are still the same. 3. yep, this UTM Profile is applied to LAN>WAN policy, with services set to ALL.
rwpatterson
Valued Contributor III

An quick aside:
ORIGINAL: ede_pfau ... (after I saw gigabytes crossing that DNS-only policy!!).
If your DNS policy source is only your DNS servers, then this may not be so large an issue, UNLESS your DNS servers were compromised... If you don' t run your own internal DNS, then this is something to keep an eye on for sure.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Dave_Hall
Honored Contributor

Do i have to block all these botnet from application control?
Pretty much, though your screenshot shows you setting the action to monitor, which you do not want. Set it to block.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors