Some months ago, Fortinet published a new list of Botnets Applications supported.
Frequently, more and more infected hosts are including in Botnets Networks. Fortinet has developed a new application's signatures in order to trying to avoid that the infected PCs (called Zombies) contact with the Command & Control Server.
Today, this is the known botnet list by Fortigate:
Agobot.Phatbot, Asprox, BlackEnergy, Bredolab, CMultiLoader, Chapro, Citadel, Cridex, DHL, Danmec.Asprox, Darkness, Dexter, DirtJumper , DistTrack, Duqu, ET, Eleonore.Web.Exploit, FakeSkype, Festi, Flame, Gbot, Gootkit, Gozi, Gumblar, Hiloti, IRC, Illusion, Imrabot, Jeefosance , Katusha, Koobface, LOIC, LOIC.IRC, Lethic , LoL, MacOS.Flashback, MachBot, Mariposa, MoneyBack, Morto, Murofet.CC, Night.Dragon, Pbbot, Phatbot , Pushdo, Qakbot, Ramnit, SDBot , SSHDkit Botnet, Sasfis, Sisron, Smoke, SpyEye, Storm.Krackin, Storm.Worm, T3C4I3, Tedroo, Torpig.Mebroot, Ursnif, VBCF, VertexNet, Vilsel, Virut, Vundo, Waledac, Webwail.Audio.Captcha, Yahoo.Messenger.Worm, Zeroaccess, Zeus
How can we avoid that with Fortigate Firewalls?
First of all, you need to create an Application Sensor in UTM Profiles. We named the Sensor "Botnet":
You can select other applications, in this case, only we've selected Category Botnet and anction Block.
Then, It's must apply this sensor in the general rule. For example:
Now, you are denying callbacks sessions to a C&C Servers.
If one of your computers are infected, you could see the firewalls logs.
Comparing Fortigate logs and Snort IDS logs, I can tell you that Fortigate only detect the 10% of Zombies in our networks than Snort IDS can do. Every day, the number of infected PCs detected by Fortigate Firewalls is higher, but at the moment, it's lower than everybody wants...
You can trace the evolution of Botnets detections by Fortigate by clicking here: http://www.fortiguard.com/botnet/
Some months ago, I participated in something like a "Hacker Competition" to get a job in a CERT. One of the tests consisted of g...
When we are involved in an incident handling and we are in charge of analyzing a traffic capture in a pcap format related to an attack, one...
Nikto is one of the most popular web security application when you are beginning a web pentesting project. You can download Nikto from htt...
Are you using some anomyzer? Anonymizing your connection is one the main requirements you need to do when you want to do bad things... For...
How many times we need to find all the client's web servers on the same IP? Since System Administrators began using "virtual hosts&...
Behind The Firewalls. Powered by Blogger.