Some months ago, Fortinet published a new list of Botnets Applications supported.

Frequently, more and more infected hosts are including in Botnets Networks. Fortinet has developed a new application's signatures in order to trying to avoid that the infected PCs (called Zombies) contact with the Command & Control Server.

Today, this is the known botnet list by Fortigate:

Agobot.Phatbot, Asprox, BlackEnergy, Bredolab, CMultiLoader, Chapro, Citadel, Cridex, DHL, Danmec.Asprox, Darkness, Dexter, DirtJumper , DistTrack, Duqu, ET, Eleonore.Web.Exploit, FakeSkype, Festi, Flame, Gbot, Gootkit, Gozi, Gumblar, Hiloti, IRC, Illusion, Imrabot, Jeefosance , Katusha, Koobface, LOIC, LOIC.IRC, Lethic , LoL, MacOS.Flashback, MachBot, Mariposa, MoneyBack, Morto, Murofet.CC, Night.Dragon, Pbbot, Phatbot , Pushdo, Qakbot, Ramnit, SDBot , SSHDkit Botnet, Sasfis, Sisron, Smoke, SpyEye, Storm.Krackin, Storm.Worm, T3C4I3, Tedroo, Torpig.Mebroot, Ursnif, VBCF, VertexNet, Vilsel, Virut, Vundo, Waledac, Webwail.Audio.Captcha, Yahoo.Messenger.Worm, Zeroaccess, Zeus

How can we avoid that with Fortigate Firewalls?

First of all, you need to create an Application Sensor in UTM Profiles. We named the Sensor "Botnet":




You can select other applications, in this case, only we've selected Category Botnet and anction Block.




Then, It's must apply this sensor in the general rule. For example:


Now, you are denying callbacks sessions to a C&C Servers.

If one of your computers are infected, you could see the firewalls logs.




Comparing Fortigate logs and Snort IDS logs, I can tell you that Fortigate only detect the 10% of Zombies in our networks than Snort IDS can do. Every day, the number of infected PCs detected by Fortigate Firewalls is higher, but at the moment, it's lower than everybody wants...

You can trace the evolution of Botnets detections by Fortigate by clicking here: http://www.fortiguard.com/botnet/