Saturday, December 22, 2012

QRadar detecting ZeroAccess Trojan

Many of my co-workers have been witness to my recent love affair with QRadar.  It's an easy to use, yet powerful SIEM that allows a security team to operate very efficiently.  When I first started using it my hope was to detect possible hacking attempts into the system.  I envisioned seeing probes coming from the Internet to our systems, attempted logins, and possibly exploits.  While I did see all this, QRadar pointed out much more just by simply examining our firewall logs.

My general rule for configuring firewall logs is to log every connection and every event.  While this may seem to be overkill for some, experience has shown me over and over again that this level of logging proves invaluable.  How many times have I been able to answer the questions of application or system administrators regarding why something is not working.  "Let me check the firewall logs", "Yes, I can see that traffic going through, but I don't see any return traffic", "Must be a connection blocked on their firewall", "Oh, we didn't have a rule for that", etc, etc.

With this level of detail being given to QRadar it was able to do what it does best, correlate and alert on possible threats.  I was interested to see a couple of workstations that were trying to establish connections to what seemed to be random hosts on the Internet.  Furthermore, it seemed to be attempting connections to just certain UDP ports, namely 16471. I was able to get hold of one of these workstations and track down what process was using these ports.  It seemed to be the explorer.exe process.

A simple Google of "16471 and explorer.exe" turned up several sites that discussed the ZeroAccess trojan.  One of the more helpful sites was Kindsight.  The research material mentions the malware sends out packets that are 16 bytes in size, and filled with encrypted data.  A packet capture confirmed that this is what was happening.  

We had a difficult time actually finding the infection files on each computer.  The location of the malware was very random.  Symantec had some recommendations, as did other sites, but we found cleaning the infection to be difficult in some cases.  McAfee system would sometimes catch it and prevent or clean the infection, and in some cases not.  Sophos had some success, while Spybot Search and Destroy was ineffective.  We were never able to determine why certain systems would be impossible to clean, and required the "nuke from orbit" response to rid the system of the infection.

In the end, we were able to clean all our infected workstations.  We wrote a rule in QRadar to send an alert every time the telltale traffic was seen, and an email automatically alerted our friends in Helpdesk.  Thanks to QRadar we were able to detect a piece of malware that nothing else was catching.

No comments: