Some months ago, Fortinet published a new list of Botnets Applications supported.
Frequently, more and more infected hosts are including in Botnets Networks. Fortinet has developed a new application's signatures in order to trying to avoid that the infected PCs (called Zombies) contact with the Command & Control Server.
Today, this is the known botnet list by Fortigate:
Agobot.Phatbot, Asprox, BlackEnergy, Bredolab, CMultiLoader, Chapro, Citadel, Cridex, DHL, Danmec.Asprox, Darkness, Dexter, DirtJumper , DistTrack, Duqu, ET, Eleonore.Web.Exploit, FakeSkype, Festi, Flame, Gbot, Gootkit, Gozi, Gumblar, Hiloti, IRC, Illusion, Imrabot, Jeefosance , Katusha, Koobface, LOIC, LOIC.IRC, Lethic , LoL, MacOS.Flashback, MachBot, Mariposa, MoneyBack, Morto, Murofet.CC, Night.Dragon, Pbbot, Phatbot , Pushdo, Qakbot, Ramnit, SDBot , SSHDkit Botnet, Sasfis, Sisron, Smoke, SpyEye, Storm.Krackin, Storm.Worm, T3C4I3, Tedroo, Torpig.Mebroot, Ursnif, VBCF, VertexNet, Vilsel, Virut, Vundo, Waledac, Webwail.Audio.Captcha, Yahoo.Messenger.Worm, Zeroaccess, Zeus
How can we avoid that with Fortigate Firewalls?
First of all, you need to create an Application Sensor in UTM Profiles. We named the Sensor "Botnet":
You can select other applications, in this case, only we've selected Category Botnet and anction Block.
Then, It's must apply this sensor in the general rule. For example:
Now, you are denying callbacks sessions to a C&C Servers.
If one of your computers are infected, you could see the firewalls logs.
Comparing Fortigate logs and Snort IDS logs, I can tell you that Fortigate only detect the 10% of Zombies in our networks than Snort IDS can do. Every day, the number of infected PCs detected by Fortigate Firewalls is higher, but at the moment, it's lower than everybody wants...
You can trace the evolution of Botnets detections by Fortigate by clicking here: http://www.fortiguard.com/botnet/
Subscribe to:
Post Comments (Atom)
About Me
Popular Posts
-
Some months ago, I participated in something like a "Hacker Competition" to get a job in a CERT. One of the tests consisted of g...
-
You already know that the malware developers create packed executables in order to try to thwart the security analyst job and make a ligh...
-
When we are involved in an incident handling and we are in charge of analyzing a traffic capture in a pcap format related to an attack, one...
-
Introduction Wordpress is the CMS most used Worldwide. According to w3techs.com WordPress is used by 61.1% of all the websites whose con...
-
Introduction Some months ago, I reported to the Fortinet PSIRT team two vulnerabilities which affect different Fortigate firmware version...
Behind The Firewalls. Powered by Blogger.
0 comments:
Post a Comment