AnsweredAssumed Answered

DNS trap bogus IP

Question asked by Benjamin Hofstetter on Dec 6, 2017
Latest reply on May 2, 2018 by Evren Buyer

Hi All,

 

I saw a Anti-Bot log message 


...

Destination Port: 53
IP Protocol: 17
Protection Name: Operator.Trojan-banker.Win32.Zeus.w.eb
Malware Family: Zeus
Description: DNS response was replaced with a DNS trap bogus IP. See sk74060 for more information.
Confidence Level: High
Severity: High
Malware Action: DNS query for a C&C site
Protection Type: DNS Reputation
Destination DNS Hostname: morejobs.ch
Vendor List: Check Point ThreatCloud

....
Blade: Anti-Bot
Product Family: Threat
...

 

The source of this DNS Request is an internal DNS Server. According to  sk74060 the default value for DNS trap IP is 62.0.58.94. 

 

To find the infected host i have to check the logs for access to 62.0.58.94. Is this correct? I see three access requests to 62.0.58.94. Logs like this below (i removed the IPs)

 

....
Service ID: http
Source: <removed>
Source Port: 52778
Destination: 62.0.58.94
Destination Port: 80
IP Protocol: 6
Product Family: Access
Description: http Traffic Accepted from <removed> to 62.0.58.94

....

 

The <removed> IP address is now the infected client? Check Point is not logging this "bogus IP" (62.0.58.94) in any special way?

 

Is it a good idea to create a special Access Rule to Drop the Access to 62.0.58.94 and Log it with an Alert?

 

Btw. I am using R80.10

 

Regards,

Benjamin

 

Outcomes