Thursday, January 3, 2013

Detecting ZeroAccess Trojan with QRadar

Here's a quick way to detect the ZeroAccess trojan with your SIEM.  Look for any traffic that is originating from your internal network and going to the Internet, on destination ports 16461, 16464, 16465, 16470, or 16471.  Below is an example of this in QRadar:

If you find that you're getting false positives you can put in an additional condition to match when this is seen several times in a minute from the same source IP.