I am attempting to find the computer infected with GameOver Zeus virus on my NAT network. I have a smoothwall open source firewall and Microsoft SBS 2011 server on the network. How would I capture the information required. This is what CBL Abuse suggest to get delisted. NEW! The Gameover Zeus/Tovar project has set up a "lighthouse IP". The lighthouse IP has been set up to help administrators find the Gameover Zeus infection on NAT networks. The theory is simple: every time an infected PC attempts to connect to a Command&Control sinkhole (see below for a partial list), the infected PC will also send a UDP packet to IP address 72.52.116.52 on port 4643 (though we suggest logging all ports). By configuring that address into your firewall, you can log which local IP address is attempting to contact 72.52.116.52, and thereby find and remediate the infection. If you are connected to us via a computer you believe may be infected, this link should help confirm your suspicion: Online Gameover Zeus Detector REMEMBER Gameover Zeus DOES NOT communicate over port 25 at all. It has nothing to do with email. Do not waste your time fiddling around with port 25 firewall rules. To find an infected computer on a NATted LAN you are searching for a local machine that is trying to make connections to a Zeus Command and Control (C&C) server on the Internet. These C&C servers have been taken over by our partners and they are giving us reports about which IPs are trying to talk to them. It is those IP addresses that are infected. If you have full logs of your firewall activity at the time this occurred, you can look in the logs for the time/sinkhole IP and destination port information given below. If you do not have full logs, you will need to set up a sniffer or firewall rules to catch and log attempts to talk to the C&C. asked 14 Aug '14, 13:26  Trinard |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
(Deleted by mistake.. Sorry)
I think you'll get more appropriate help over at the smoothwall support facilities, they'll tell you how to log the traffic.
I agree with grahamb, that your question really translates to how do you configure your firewall to log certain traffic. That's not really a wireshark question. But assuming you know how to configure your firewall to log certain events, then "CBL Abuse" lays it out pretty straightforward. This virus attempts to send a UDP packet to 72.52.116.52:4643. So by logging traffic on your firewall with a destination address of 72.52.116.52, you will be able to identify the source IP address, and thereby identify the infected computer.