Solved: MALWARE-CNC Win.Trojan.Pmabot outbound connection attempt Etc...

darreng · ‎07-14-2016

From time to time I receive alerts such as the above one, there are others. These typiically occurr on a Guest Wifi network I run.

In my ACP (Position 3) I have an entry allowing the DNS application from my DMZ (Guest Wifi Zone) to the Outside of my ASA. Other rules lower down match HTTP/HTTPS policies etc. The Default rule (last position) in the ACP is a FIle Policy has IPS enabled, it is set to Allow traffic.

I have enabled the Global Blacklist config for in the ACP settings under the Security Intelligence tab & I have modified the DNS setting to include blacklisting of DNS sites that Taos record as suspect.

To block the above DNS entries, is it simply a case of removing the DNS application entry (Position 3) in the ACP and change my Default rule (last place) from Permit to Deny so that the DNS traffic is blocked to suspect sites. Or by doing this am I in danger of blocking other traffic.

Simply, I want to allow HTTP, allow HTTPS and allow DNS traffic but with the latter only to trusted destinations. Where lookups occurr that trigger the above alerts and others, I would like to drop these so the DNS is blocked.

Regards

Darren

Jetsy Mathew · ‎07-18-2016

Hello Team,

First of all make sure that you are in latest version of SRU in the device.

By any chance are you running PHPMyAdmin in the device ? Also verify what are the variables for HOME_NET and EXTERNAL_NET variables?

If you suspect this as a false positive alert, then provide following elements to TAC in order to verify if this is a false positive or a valid alert due to an issue.

1. Packet matching the rule:

- Log in to the DC Web interface

- Navigate to "Analysis" > "Intrusions" > "Events" > Change Workflow to "Table View of Events" > Select the corresponding alert(s) > Click "Download Packets"

- You should obtain a ZIP file containing a packet capture in PCAP format.

- Send this ZIP file to the TAC team and request an analysis.

Rate if the posts helps you

Regards

Jetsy

View solution in original post

Ed Padilla Jr · ‎07-18-2016

Can you use the DNS policy (this is in FMC version 6.0.x)? I currently using the DNS Policy for suspicious sites, and refreshes every 2 hours.

darreng · ‎07-19-2016

Hi Ed,

thanks is for the reply.

Yes I had the DNS policy applied. It looks to have been an issue caused by me not updating the variable set.

regards

Darren

Jetsy Mathew · ‎07-18-2016

Hello Team,

First of all make sure that you are in latest version of SRU in the device.

By any chance are you running PHPMyAdmin in the device ? Also verify what are the variables for HOME_NET and EXTERNAL_NET variables?

If you suspect this as a false positive alert, then provide following elements to TAC in order to verify if this is a false positive or a valid alert due to an issue.

1. Packet matching the rule:

- Log in to the DC Web interface

- Navigate to "Analysis" > "Intrusions" > "Events" > Change Workflow to "Table View of Events" > Select the corresponding alert(s) > Click "Download Packets"

- You should obtain a ZIP file containing a packet capture in PCAP format.

- Send this ZIP file to the TAC team and request an analysis.

Rate if the posts helps you

Regards

Jetsy

AKV · ‎03-29-2018

There are lot of traffic for win.trojan.pmbot outbound connection. do we have any specific signature in the Cisco IPS to block the same.

Akv

darreng · ‎07-19-2016

Hi Jetsy,

I had not realised that the variable set required updating. Following a change I now see entries relating to such DNS attempts seem to be blocked, thank you.

regards

Darren