<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1210342930;
mso-list-type:hybrid;
mso-list-template-ids:-1210695096 -1556058302 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;
color:#1F497D;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Hi guys,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>This morning the following blog post was posted by the Dutch security firm about a malware dropper that is causing issues at a couple Dutch municipalities ICT departments:<o:p></o:p></p><p class=MsoNormal><a href="http://blog.fox-it.com/2012/08/09/xdoccryptdorifel-document-encrypting-and-network-spreading-virus/">http://blog.fox-it.com/2012/08/09/xdoccryptdorifel-document-encrypting-and-network-spreading-virus/</a> <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><a href="http://webwereld.nl/nieuws/111424/nieuwe-trojan-grijpt-wild-om-zich-heen-in-nederland.html">http://webwereld.nl/nieuws/111424/nieuwe-trojan-grijpt-wild-om-zich-heen-in-nederland.html</a> (Dutch article about the trojan) <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The general expectation is that other companies will be infected by it as well, soon ... <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>In order to see if customers of us<span style='color:#1F497D'> </span>in our ISP network are infected and trying to contact the specified IP addresses from the blogpost I created the following ACL and placed it in the network: <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Be aware, the IP’s used in the example below are real malware drop IP’s. It is not recommended to visit them with a browser. <b>Use wget on a linux or mac instead to test !!</b><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Recommended: <o:p></o:p></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='color:#1F497D'><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Having a central syslog server if you want to have it logged centrally. <o:p></o:p></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='color:#1F497D'><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Test this on a test environment for your own safety and protection before you want to do this in production <span style='font-family:Wingdings'>J</span> <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>On a switch do the following: <o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal>Create a policy file:<span style='color:#1F497D'> <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal>edit policy filter_cybercrime<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>entry xdocdoc_cc1 {<o:p></o:p></p><p class=MsoNormal>if {<o:p></o:p></p><p class=MsoNormal> protocol tcp ;<o:p></o:p></p><p class=MsoNormal> destination-address 184.82.162.163/32 ;<o:p></o:p></p><p class=MsoNormal>}<o:p></o:p></p><p class=MsoNormal>then {<o:p></o:p></p><p class=MsoNormal> mirror-cpu ;<o:p></o:p></p><p class=MsoNormal> log ;<o:p></o:p></p><p class=MsoNormal> count xdocdoc_cc1 ;<o:p></o:p></p><p class=MsoNormal> deny ; <o:p></o:p></p><p class=MsoNormal>}<o:p></o:p></p><p class=MsoNormal>}<o:p></o:p></p><p class=MsoNormal>entry xdocdoc_cc2 {<o:p></o:p></p><p class=MsoNormal>if {<o:p></o:p></p><p class=MsoNormal> protocol tcp ;<o:p></o:p></p><p class=MsoNormal> destination-address 184.22.103.202/32 ;<o:p></o:p></p><p class=MsoNormal>}<o:p></o:p></p><p class=MsoNormal>then {<o:p></o:p></p><p class=MsoNormal> mirror-cpu ;<o:p></o:p></p><p class=MsoNormal> log ;<o:p></o:p></p><p class=MsoNormal> count xdocdoc_cc2 ;<o:p></o:p></p><p class=MsoNormal> deny ; <o:p></o:p></p><p class=MsoNormal>}<o:p></o:p></p><p class=MsoNormal>}<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Save the file and check it for syntax errors. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:#1F497D'>c</span>heck policy filter_cybercrime<span style='color:#1F497D'> </span># if you copied the above file correctly, it should pass the syntax without problems.. <o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal>and add the following commands : <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>configure log filter DefaultFilter add event kern.info # this is to make sure that you are seeing the kernel messages in the syslog ..<o:p></o:p></p><p class=MsoNormal>conf access-list filter_cybercrime port 27 ingress # add any ports that you feel might pass the traffic within the network. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Now if you test this using a wget to one of the following IP addresses you will get the following on the switch log and/or syslog:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-family:"Courier New"'>Aug 9 10:28:39 core3-nikhef.a2b-internet.com Kern: 78-byte packet from 1:25 (vlanId=101) matches rule xdocdoc_cc1<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Courier New"'>Aug 9 10:28:39 core3-nikhef.a2b-internet.com Kern: 00:04:96:52:06:1f -> 00:04:96:51:80:66 IP<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Courier New"'>Aug 9 10:28:39 core3-nikhef.a2b-internet.com Kern: <b>178.249.153.19</b>:50546 -> 184.82.162.163:80 TCP v4 hLen: 20 ttl: 63 tos: 0x0 tLen: 60<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Courier New"'>Aug 9 10:28:39 core3-nikhef.a2b-internet.com Kern: seq: 0xbf4a576a ackSeq: 0x0 win: 0x3908 urgPtr: 0x0 syn <o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Courier New"'>Aug 9 10:28:40 core3-nikhef.a2b-internet.com Kern: 78-byte packet from 1:25 (vlanId=101) matches rule xdocdoc_cc1<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Courier New"'>Aug 9 10:28:40 core3-nikhef.a2b-internet.com Kern: 00:04:96:52:06:1f -> 00:04:96:51:80:66 IP<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Courier New"'>Aug 9 10:28:40 core3-nikhef.a2b-internet.com Kern: <b>178.249.153.19</b>:50546 -> 184.82.162.163:80 TCP v4 hLen: 20 ttl: 63 tos: 0x0 tLen: 60<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Courier New"'>Aug 9 10:28:40 core3-nikhef.a2b-internet.com Kern: seq: 0xbf4a576a ackSeq: 0x0 win: 0x3908 urgPtr: 0x0 syn <o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Courier New"'>Aug 9 10:28:42 core3-nikhef.a2b-internet.com Kern: 78-byte packet from 1:25 (vlanId=101) matches rule xdocdoc_cc1<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Courier New"'>Aug 9 10:28:42 core3-nikhef.a2b-internet.com Kern: 00:04:96:52:06:1f -> 00:04:96:51:80:66 IP<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Courier New"'>Aug 9 10:28:42 core3-nikhef.a2b-internet.com Kern: <b>178.249.153.19</b>:50546 -> 184.82.162.163:80 TCP v4 hLen: 20 ttl: 63 tos: 0x0 tLen: 60<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Courier New"'>Aug 9 10:28:42 core3-nikhef.a2b-internet.com Kern: seq: 0xbf4a576a ackSeq: 0x0 win: 0x3908 urgPtr: 0x0 syn <o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Courier New"'>Aug 9 10:28:46 core3-nikhef.a2b-internet.com Kern: 78-byte packet from 1:25 (vlanId=101) matches rule xdocdoc_cc1<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Courier New"'>Aug 9 10:28:46 core3-nikhef.a2b-internet.com Kern: 00:04:96:52:06:1f -> 00:04:96:51:80:66 IP<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Courier New"'>Aug 9 10:28:46 core3-nikhef.a2b-internet.com Kern: <b>178.249.153.19</b>:50546 -> 184.82.162.163:80 TCP v4 hLen: 20 ttl: 63 tos: 0x0 tLen: 60<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Courier New"'>Aug 9 10:28:46 core3-nikhef.a2b-internet.com Kern: seq: 0xbf4a576a ackSeq: 0x0 win: 0x3908 urgPtr: 0x0 syn<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>With the result you can easily spot which IP in your network is trying to download or contact the malware servers. (178.249.153.19 in the above example as my test server for wget.) <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>You can also use <i>show access-list counter </i>to see if you have had hits on your ACL. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-family:"Courier New"'>filter_cybercrime * 27 ingress <o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Courier New"'> xdocdoc_cc1 194 # this means that the switch had 194 hits on the ACL <o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Courier New"'> xdocdoc_cc2 0 <o:p></o:p></span></p><p class=MsoNormal><br>Happy hunting <span style='font-family:Wingdings'>J</span> <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Regards,<o:p></o:p></p><p class=MsoNormal>Erik Bais<span style='color:#1F497D'><o:p></o:p></span></p></div></body></html>