topic Advice blocking URl/ZIP in General Topics

Advice blocking URl/ZIP

SOC_CSG — Wed, 10 Dec 2014 08:31:41 GMT

Hi,

We are receiving the same emails,which last 28/11/14, infected our system with cryptoloker. These links come from different domains but have in common the following url

http://xxxxxxxx.xx/Billing/invoice.zip. How could we avoid that if someone clicks the link, not end infecting our systems?

any advice?????

thanks

Re: Advice blocking URl/ZIP

_slv_ — Wed, 10 Dec 2014 08:49:03 GMT

Hello COS

Do You have av/threat/WildFire protection applied on security rules that passing traffic to internet?

Have You latest updates applied? Cryptolocker is well known malware (but it's still changing its code). Did You create a support case for this false positive?

In my opinion You have to create data filtering if the filename is always "invoice.zip" I try to find examples in archiwum but I didn't find any examples how to get it.

I hope that someone give You examples.

Regards

Slawek

Re: Advice blocking URl/ZIP

SOC_CSG — Wed, 10 Dec 2014 08:55:08 GMT

we have only URL filtering license. We have updated the virus/threats signatures. We have thought add in block list (URL filtering profile) this line */invoce.zip

it would work?

Re: Advice blocking URl/ZIP

_slv_ — Wed, 10 Dec 2014 09:10:34 GMT

Did You read:

http://researchcenter.paloaltonetworks.com/2014/07/banking-security-best-practices-zeus-cryptolocker/

http://researchcenter.paloaltonetworks.com/2013/11/palo-alto-networks-can-stop-cryptolocker/

Please follow this documents carefully, Cryptolocker isnt a "simple" malware, so without additional licences I think that i will be hard to detect and stop them

Regards

Slawek

Re: Advice blocking URl/ZIP

SOC_CSG — Wed, 10 Dec 2014 09:14:28 GMT

which license is necessary to use FILE BLOCKING???

we have only URL FILTERING and THREAT PREVENTION licenses.

Re: Advice blocking URl/ZIP

_slv_ — Wed, 10 Dec 2014 10:35:14 GMT

According to Data Filtering and File Blocking - Palo Alto Networks and my understanding it using THREAT PREVENTION licenses

Regards

Slawek

Re: Advice blocking URl/ZIP

hvcomputech — Wed, 10 Dec 2014 18:23:55 GMT

Are you using a spam filter? May be blocking the incoming emails filtering by attachment or content may be a quicker solution.

Or create a data filtering profile for file type .zip, direction = download, with regex to match invoice.zip, and then apply it to your security policies. Note: I haven't tested this.

Larry

Re: Advice blocking URl/ZIP

mivaldi — Thu, 11 Dec 2014 01:22:54 GMT

Yet another option to help you prevent further infections...

http://xxxxxxxx.xx is most likely a shady domain.

You can respond the DNS Query with a Honeypot IP and do DNS Sinkhole, thus preventing the infection.

Check out:

https://live.paloaltonetworks.com/docs/DOC-6220

Re: Advice blocking URl/ZIP

SOC_CSG — Thu, 11 Dec 2014 07:18:04 GMT

Hello

The problem is the mail sender and the name of attached file within changes, this happened several weeks ago and I created a rule tu deny the source, but now the source is different and also the file name.

So data-filtering to deny incoming zip files with the regex "invoice.zip" won't be usefull in the future, and redirect the web page to a honeypot or sinkhole has the same problem, it changes in time.

I read the post from Slawek and could be usefull. I will kept you inform.

best regards

Gonzalo

Re: Advice blocking URl/ZIP

_slv_ — Thu, 11 Dec 2014 12:10:28 GMT

Hello

Two more docs:

Ensuring Optimum Protection for CryptoLocker and P2PZeus (GameOverZeus)

How to Deal with Conficker using DNS Sinkhole

I hope that will be helpfull for You

Regards

SLawek