Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Dyop_Geop
New Contributor

Created on ‎06-15-2014 07:29 PM

IP infected with Conficker A or Conficker B botnet as stated by spamhaus.org

We have a fortigate 100D setup. All LAN Traffic are with Antivirus, Webfilter, App Ctrl, IPS, email filter enabled. The public ip address is always being listed in spamhaus.org.
" X.X.X.20 is listed in the XBL, because it appears in: CBL"
" IP Address X.X.X.20 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet. It was last detected at 2014-06-16 00:00 GMT (+/- 30 minutes), approximately 2 hours ago. It has been relisted following a previous removal at 2014-06-13 14:18 GMT (2 days, 12 hours, 2 minutes ago) This IP is infected (or NATting for a computer that is infected) with the Conficker A or Conficker B botnet."
For some reason the antivirus/IPS are not detecting the conficker virus. What else to do please?
Preview file
148 KB
13122
0 Kudos
18 REPLIES 18
Dyop_Geop
New Contributor

Created on ‎06-15-2014 07:30 PM

Please see additional screenshots from spamhaus.org
Preview file
125 KB
4237
0 Kudos
Dave_Hall
Honored Contributor

Created on ‎06-16-2014 04:05 AM

For some reason the antivirus/IPS are not detecting the conficker virus.
This really doesn' t tell us much in the way of what firmware you are running on the 100D nor what actual signatures are selected. Not in front of a fgt device to confirm, but I recall under 5.0.x firmware you need to enable the block connections to botnet servers under the various UTM profiles. Under 4.0. MR3 (and 5.0.x) botnet detection is enabled under application control -- create a new app sensor that blocks botnet. Use the search link (at the top of this page) -- we recently had a similar discussion on conficker, including basically just blocking the ports used by it.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
4238
0 Kudos
Dyop_Geop
New Contributor

Created on ‎06-19-2014 12:41 AM

Hi Sir Dave, Thanks for the reply. please see attached pictures to know if these can answer your questions. I' ve already searched the topics in the forums and can' t find a viable solution.
Preview file
40 KB
4238
0 Kudos
Dyop_Geop
New Contributor

Created on ‎06-19-2014 12:42 AM

pic2 Do i have to block all these botnet from application control?
Preview file
105 KB
4238
0 Kudos
Dyop_Geop
New Contributor

Created on ‎06-19-2014 12:43 AM

pic3
Preview file
36 KB
4238
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎06-19-2014 03:52 AM

Just to give you a second opinion: 1 - upgrade to 5.0.7 ASAP! You' re running 5.0 GA which is full of glitches, and worst of all, features the Heartbleed bug. 2 - Yes, specify all botnet signatures (kind of) in that category. I noticed you didn' t enable the Risk column. Just enable all these options and watch the AppControl log. 3 - this UTM profile is applied to the correct policy? ' internal' -> ' WAN' for all traffic that might be used for a botnet: HTTP(S), DNS (!) Especially DNS can be used to tunnel traffic out. I' ve got an additional AppControl sensor applied to DNS-only traffic to stop tunneling (after I saw gigabytes crossing that DNS-only policy!!).
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
4238
0 Kudos
Dyop_Geop
New Contributor
In response to ede_pfau

Created on ‎06-19-2014 10:26 PM

Hi ede_pfau, thanks for your time in replying to my problem. 1. First, this is the firmware version that I installed, FGT_100D-v500-build4429-FORTINET Isn' t this the latest firmware for v5.0 as seen in https://support.fortinet.com/Download/FirmwareImages.aspx ? 2. I believe the risk column that you saw that isn' t checked is a filter for the applications. If i checked that, the shown botnets are still the same. 3. yep, this UTM Profile is applied to LAN>WAN policy, with services set to ALL.
4238
0 Kudos
rwpatterson
Valued Contributor III
In response to ede_pfau

Created on ‎06-20-2014 03:43 AM

An quick aside:
ORIGINAL: ede_pfau ... (after I saw gigabytes crossing that DNS-only policy!!).
If your DNS policy source is only your DNS servers, then this may not be so large an issue, UNLESS your DNS servers were compromised... If you don' t run your own internal DNS, then this is something to keep an eye on for sure.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
4238
0 Kudos
Dave_Hall
Honored Contributor

Created on ‎06-19-2014 03:56 AM

Do i have to block all these botnet from application control?
Pretty much, though your screenshot shows you setting the action to monitor, which you do not want. Set it to block.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
4238
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.