topic Re: Suspicious DNS Query - conficker in General Topics

Suspicious DNS Query - conficker

${userLoginName} — Sat, 21 Sep 2013 19:26:55 GMT

Hey,

Is there a way for not letting conficker fill up the threat logs? Or an easy way to filter them out? I have 1000+ logs from 1 host on just a few hours and it is getting hard to see the other threats... Even in the ACC, I get a list full of conficker, nothing else. This is caused by every conficker URL being identified as a different threat ID.

Kind regards,

Bob

Re: Suspicious DNS Query - conficker

shasnain — Sat, 21 Sep 2013 20:23:49 GMT

Hi,

You can use the anti-spyware profile and add the exception for DNS queries not to be populated in the threat logs by choosing the action allow.

Associate the profile to the rule which the traffic is hitting.

Thanks,

Syed R Hasnain

Re: Suspicious DNS Query - conficker

${userLoginName} — Sat, 21 Sep 2013 21:23:53 GMT

So I would need to create a new rule above the one that allows it at the moment with source IP the infected clients (otherwise I would not know when other clients have it)?

Also, the conficker threat has a lot of threat ID's, so setting all DNS queries to all would make other threats not show up in the logs?

Re: Suspicious DNS Query - conficker

HULK — Sat, 21 Sep 2013 22:27:15 GMT

Hello,

Yes, you need to create a new rule above the one that allows it currently in order to apply the anti-spyware profile .

Below mentioned discussion may help you

Suspicious DNS Query - how to find source computer?

Thanks

Re: Suspicious DNS Query - conficker

shasnain — Sun, 22 Sep 2013 00:00:18 GMT

Hi,

You can use individual threat IDS and add them in the exception and set the action for them as allow as shown above in the snap shot..So in this way you will not be doing for all the threats but just for some individuals not to be populated in the threat logs.

Thanks,

Syed R Hasnain

Re: Suspicious DNS Query - conficker

${userLoginName} — Fri, 27 Sep 2013 05:59:22 GMT

Using individual threat ID'is is not an option I believe, since conficker seems to have a lot of different threat ID's. I was trying to filter them out of my threat logs but after removing 20-30 of them, there were still a lot more that needed to be filtered out.

It seems there is no reasonable way to "group" the conficker threat and filter it out.

Since conficker uses a generic url and PA creates a different ID for each of them, the exception list would grow rapidly every day. I am not sure about this, but it seems logical.

Re: Suspicious DNS Query - conficker

gafrol — Fri, 27 Sep 2013 14:42:57 GMT

Hmmm, sorry, but disconnecting the affected system from the network and cleaning it is what I would consider the right approach..... And as a side effect the log entries will go away....

We are talking IT security right 🙂 ?

Re: Suspicious DNS Query - conficker

${userLoginName} — Mon, 30 Sep 2013 07:04:29 GMT

This was indeed the first thing that came to my mind, but in our case, hosts in the guest network are not controlled by our IT team.

Re: Suspicious DNS Query - conficker

gafrol — Mon, 30 Sep 2013 09:23:47 GMT

Just for clarification. You are not responsible for the guest network, but the traffic from the guest network is traversing your firewall ?

I would never allow a guest which is malware infected to use my network or traverse my firewall.

Re: Suspicious DNS Query - conficker

${userLoginName} — Mon, 30 Sep 2013 10:17:28 GMT

The traffic is in an isolated vlan which can only access the internet, not other internal subnets. A strict policy is in place to ensure this. I see no reason why this network should not be behind the main firewall.

Re: Suspicious DNS Query - conficker

mikand — Mon, 30 Sep 2013 10:22:07 GMT

Of course you should filter these clients aswell but one reason (to use a dedicated firewall for these clients that is) is to avoid a DDoS situation (from an infected client connected to this guest network).

Re: Suspicious DNS Query - conficker

ericgearhart — Mon, 30 Sep 2013 13:26:15 GMT

gafrol: you have no idea where he works or what kind of network he's on. This is a common thing at universities, for example. The IT team isn't allowed to ride in on their high horse and grab a laptop, the most they can do is advise a student that they're infected.

Re: Suspicious DNS Query - conficker

gafrol — Mon, 30 Sep 2013 13:58:44 GMT

Even if it's a university, what could be against blocking malware traffic at the firewall level ?

I have made first hand experience with a university in Europe being disconnected from their Internet Link by the provider due to outbound malware traffic coming from the universities IP's....

Re: Suspicious DNS Query - conficker

Kali — Thu, 03 Oct 2013 03:02:18 GMT

I had this issue a year ago and it was a pain to see logs filled with conficker. The way i resolved this matter is by blocking .dll files. After i did that i haven't seen any conficker on my logs.