Prohibit Emotet/TrickBot by IP Blocklist or how to proceed?

Triggered by many bad news about latest infections I found ipfblocklist as an add-on to IPFire. In this forum thread it was discussed a year ago to include this tool into IPFire. Will this become true in the near future, or shall I proceed with installation of ipfblocklist? Is there any other advice / best practice how to deal with Emotet/TrickBot in IPFire?

1 Like

Hi guys,
–> https://lists.ipfire.org/pipermail/development/2019-November/006664.html .

Best,

Erik

1 Like

Ok, this means we can expect an addon in the near future or is it just a discussion if this addon is possible there on the dev list?

1 Like

Yes, this may land in IPFire at some point.

I do not get how you expect this feature to prevent any malware like this. If you are already infected it can potentially mitigate it, but the IPS can already do that.

1 Like

My question did not aim on how this may prevent those attacks but when will this be part of IPFire because this addon may serve other tasks, too.

3 Likes

Reopening this case because I built a solution (possible).

The script (according to trollop SSL Blacklist, Feodotracker - #5 by troll-op) runs every night, generates network-objects and network-groups. Those can be used for two simple rules which are easy to use via Web GUI.

How about this?

#!/bin/bash

##############################################
# Beginn Download Liste FEODO & SSLBL
##############################################

#evtl. Reste löschen
rm -f /tmp/block-feodo
rm -f /tmp/block-sslbl

#FEODO (https://feodotracker.abuse.ch/)
curl -s https://feodotracker.abuse.ch/downloads/feodotracker.rules | sed -e 's/].*//g' | sed 's|.*\[\(.*\)|\1|' | sed -e 's/#.*//g' | sed '/at.*/d' | sort | uniq >> /tmp/block-feodo

#SSLBL (https://sslbl.abuse.ch/)
curl -s https://sslbl.abuse.ch/blacklist/sslipblacklist.txt | grep '^[0-9]' | sed '/:/d' | sed -e 's/;.*//' | sed -e 's/#.*//g' | sed '/at.*/d' | sed -e 's/ .*//' | sort | uniq >> /tmp/block-sslbl

##############################################
# Ende Download Liste FEODO & SSLBL
##############################################

##############################################
# Beginn Bearbeitung FEODO CUSTOMHOSTS
##############################################

#Variablen setzen
HostSyntax="NO_WAN_Block_FEODO_"
SRCFile="/tmp/block-feodo"
DSTFile="/var/ipfire/fwhosts/customhosts"
RemarkTime=$(date +"%d.%B %Y %T Uhr")

#bestehende Einträge ind DSTFile löschen
sed -i "/$HostSyntax/d" "$DSTFile"

#höchsten Zähler in DSTFile ermitteln
DSTvaluemaxarray=($(sed "s/,.*//" "$DSTFile"))
DSTvaluemax=($(printf '%s\n' "${DSTvaluemaxarray[@]}" | awk '$1 > m || NR == 1 { m = $1 } END { print m }'))
#echo $DSTvaluemax

#Zähler für neue Einträge erstellen
#echo $DSTvaluemax
DSTcount=$((DSTvaluemax+1))
#echo $DSTcount

#Komma in DSTFile an letzter Stelle in Zeilen löschen
sed -i 's/\,$//' $DSTFile

#DSTFile um neue Einträge ergänzen
count=0;
input=$SRCFile
while IFS= read -r line
do
	test $count -eq 0 && ((count=count+1)) && continue
	echo "$DSTcount,$HostSyntax$line,ip,$line/255.255.255.255,Autoupdate $RemarkTime" >> $DSTFile
	let "DSTcount++"
	let "count++"
done < "$input"

#DSTFile sortieren
sort -n -o $DSTFile $DSTFile

#Komma an letzter Stelle des DSTFile setzen
sed -i '$s/$/\,/' $DSTFile

##############################################
# Ende Bearbeitung FEODO CUSTOMHOSTS
##############################################


##############################################
# Beginn Bearbeitung FEODO CUSTOMGROUPS
##############################################

#Variablen setzen
GRPSyntax="NG_WAN_Deny_IPShield_FEODO"
SRCFile="/var/ipfire/fwhosts/customhosts"
DSTFile="/var/ipfire/fwhosts/customgroups"

#bestehende Einträge ind DSTFile löschen
sed -i "/$GRPSyntax/d" "$DSTFile"

#höchsten Zähler in DSTFile ermitteln
DSTvaluemaxarray=($(sed "s/,.*//" "$DSTFile"))
DSTvaluemax=($(printf '%s\n' "${DSTvaluemaxarray[@]}" | awk '$1 > m || NR == 1 { m = $1 } END { print m }'))
#echo $DSTvaluemax

#Zähler für neue Einträge erstellen
#echo $DSTvaluemax
DSTcount=$((DSTvaluemax+1))
#echo $DSTcount

#Komma in DSTFile an letzter Stelle in Zeilen löschen
sed -i 's/\,$//' $DSTFile

#DSTFile um neue Einträge ergänzen
count=0;
input=$SRCFile
while IFS= read -r line
do
	test $count -eq 0 && ((count=count+0)) && continue
	Host=($(echo $line | awk -F',' '{print $2;}'))
	if [[ $Host = $HostSyntax* ]]
		then
			echo "Taken: $HostSyntax part of $Host"
			echo "$DSTcount,$GRPSyntax,,$Host,Custom Host,Autoupdate $RemarkTime" >> $DSTFile
		else
			echo "Not taken: $HostSyntax not part of $Host"
		fi
	
	let "DSTcount++"
	let "count++"
done < "$input"

#DSTFile sortieren
sort -n -o $DSTFile $DSTFile

#Komma an letzter Stelle des DSTFile setzen
sed -i '$s/$/\,/' $DSTFile

##############################################
# Ende Bearbeitung FEODO CUSTOMGROUPS
##############################################

##############################################
# Beginn Bearbeitung SSLBL CUSTOMHOSTS
##############################################

#Variablen setzen
HostSyntax="NO_WAN_Block_SSLBL_"
SRCFile="/tmp/block-sslbl"
DSTFile="/var/ipfire/fwhosts/customhosts"
RemarkTime=$(date +"%d.%B %Y %T Uhr")

#bestehende Einträge ind DSTFile löschen
sed -i "/$HostSyntax/d" "$DSTFile"

#höchsten Zähler in DSTFile ermitteln
DSTvaluemaxarray=($(sed "s/,.*//" "$DSTFile"))
DSTvaluemax=($(printf '%s\n' "${DSTvaluemaxarray[@]}" | awk '$1 > m || NR == 1 { m = $1 } END { print m }'))
#echo $DSTvaluemax

#Zähler für neue Einträge erstellen
#echo $DSTvaluemax
DSTcount=$((DSTvaluemax+1))
#echo $DSTcount

#Komma in DSTFile an letzter Stelle in Zeilen löschen
sed -i 's/\,$//' $DSTFile

#DSTFile um neue Einträge ergänzen
count=0;
input=$SRCFile
while IFS= read -r line
do
	test $count -eq 0 && ((count=count+1)) && continue
	echo "$DSTcount,$HostSyntax$line,ip,$line/255.255.255.255,Autoupdate $RemarkTime" >> $DSTFile
	let "DSTcount++"
	let "count++"
done < "$input"

#DSTFile sortieren
sort -n -o $DSTFile $DSTFile

#Komma an letzter Stelle des DSTFile setzen
sed -i '$s/$/\,/' $DSTFile

##############################################
# Ende Bearbeitung SSLBL CUSTOMHOSTS
##############################################


##############################################
# Beginn Bearbeitung SSLBL CUSTOMGROUPS
##############################################

#Variablen setzen
GRPSyntax="NG_WAN_Deny_IPShield_SSLBL"
SRCFile="/var/ipfire/fwhosts/customhosts"
DSTFile="/var/ipfire/fwhosts/customgroups"

#bestehende Einträge ind DSTFile löschen
sed -i "/$GRPSyntax/d" "$DSTFile"

#höchsten Zähler in DSTFile ermitteln
DSTvaluemaxarray=($(sed "s/,.*//" "$DSTFile"))
DSTvaluemax=($(printf '%s\n' "${DSTvaluemaxarray[@]}" | awk '$1 > m || NR == 1 { m = $1 } END { print m }'))
#echo $DSTvaluemax

#Zähler für neue Einträge erstellen
#echo $DSTvaluemax
DSTcount=$((DSTvaluemax+1))
#echo $DSTcount

#Komma in DSTFile an letzter Stelle in Zeilen löschen
sed -i 's/\,$//' $DSTFile

#DSTFile um neue Einträge ergänzen
count=0;
input=$SRCFile
while IFS= read -r line
do
	test $count -eq 0 && ((count=count+0)) && continue
	Host=($(echo $line | awk -F',' '{print $2;}'))
	if [[ $Host = $HostSyntax* ]]
		then
			echo "Taken: $HostSyntax part of $Host"
			echo "$DSTcount,$GRPSyntax,,$Host,Custom Host,Autoupdate $RemarkTime" >> $DSTFile
		else
			echo "Not taken: $HostSyntax not part of $Host"
		fi
	
	let "DSTcount++"
	let "count++"
done < "$input"

#DSTFile sortieren
sort -n -o $DSTFile $DSTFile

#Komma an letzter Stelle des DSTFile setzen
sed -i '$s/$/\,/' $DSTFile

##############################################
# Ende Bearbeitung SSLBL CUSTOMGROUPS
##############################################

##############################################
# Beginn Abschluss
##############################################

#temp. Dateien löschen
rm -f /tmp/block-feodo
rm -f /tmp/block-sslbl

#Reload Firewall Rules (Quelle: https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888/16)
echo "Apply new IP-Shield-Rules"
#/etc/rc.d/init.d/firewall restart >/dev/null 2>&1
/usr/local/bin/firewallctrl

##############################################
# Ende Abschluss
##############################################

But be careful with used lists, because every IP-Address generates a network-object (NO) and will be listed as a single host.

3 Likes

When interesting let’s talk about it.
Added for my own some more checks.
Cleaning up the temp-files for dos&unix (especially for the sslbl necessary).
Checking both temp-files for IP-Adresses to avoid usage of empty files or HTML-error within the file.

@hellfire A solution for you? Or too late?

2 Likes

I like this a lot, I would be interested. I think having these rules that are constantly being updated complement the IPS

the ET rules in my IPS are being updated nighltIy but seem to be a little behind.

I wonder what you think about these 2 examples.

  1. This malware has been known for about 7 days:

Emerging threats still marks it as “Clean”
URLhaus marks it as “Malicious”
Feodotracker - “Clean”

  1. This malware is almost 2 days old.

Emerging Threats - Clean
URLhaus - Clean
Feodotracker - Clean

1 Like

Hi,

the reason why there is no progress related to this add-on is because its maintainer replied to questions and bug reports sloppily, if all. Lately, he seemed to be gone, leaving a couple of technical details unclarified.

While this is dissatisfying from a user perspective, I am sure you will understand that we cannot just ship code which is as good as unmaintained even at the time it is handed in. We neither have the manpower to care about another poor thing in need of a maintainer, nor is it a good idea in terms of security.

Unless this situation changes drastically for the better, there are no plans of including this add-on into the distribution. Bummer, but that’s where we are.

That being said, I would even doubt we need it for this thread’s purpose anymore:

  • Emotet (and other) C&C servers are included in the Feodo Tracker, which comes with some IPS ruleset such as the ET community one. Additional rules are available for Cobalt Strike C&Cs and others, most of them are for free as well. This will at least prevent malicious actors from taking advantage of an infected network.

  • For malware distribution, there are a couple of other IPS rule categories available. While they never catch all, nor can replace a good AV scanner (a HIPS would be even better, but even most enterprises do not have this in place :expressionless: ), there is no point in not using them.

  • Upcoming Core Update 164 will introduce two new security features:

    1. Blocking traffic from and to hostile networks (“the baddest of the bad”) by default on new installations. On existing ones, this can be simply enabled by changing a radio button on the firewall options page. More on this in a dedicated blog post.

    2. Allowing to use multiple IPS rule providers at once. If there is something you cannot get covered by one providers’ feed, you can then use another one in addition, combining their rules and rule categories at your needs.

  • This is probably tiring to those aware of them, but please have a look at some blog posts of mine regarding general information security, firewall configuration and IPS configuration recommendations.

The latter one sounds trivial yet is not in real life: Most security incidents I need to handle in my dayjob are not caused by high-sophisticated APTs using the most advanced exploits and techniques one can imagine - far from it. The depressing reality is an enterprise going like:

“Whoops, we forgot to take this publicly exposed Windows 7 server offline, and could have segmented our networks better. Oh, and there was an IDS in place, but it was only logging, not blocking, and nobody looked at the logs. - Anyway, please clean up our network now.”

Unless you are some high-profile target, this is the level of IT security we are commonly dealing with. :expressionless:

Thanks, and best regards,
Peter Müller

5 Likes

Thank you for the detailed update.
It would be nice to be able to download and update rules directly from Abuse.ch. Proofpoint appears to be just another middle-men :saluting_face:

What "a good AV scanner " do you use in your setups?

Emotet was added today to the ET OPEN ruleset,
I don’t see any ET TROJAN ruleset in the Community version, but maybe they will show up overnight.

I guess, OPEN is the same as COMMUNITY??

In an effort to increase visibility/detection for everyone, we moved
all Emotet signatures from the PRO set to OPEN today.
https://www.proofpoint.com/us/daily-ruleset-update-summary-20220203

1 Like

Hi,

this feature will come with Core Update 164, where we have both the URLhaus and SSLBL feed of abuse.ch included. Please be patient for a short while and wait for the testing announcement of C164… :slight_smile:

I’m afraid I cannot recommend you any product here, since I am not an expert when it comes to Windows endpoint security (I can just tell you which products are not good, but I won’t do that publicly :slight_smile: ), and things like Linux usually do not need an AV scanner.

For the server and mail security side, I am usually very fond of ClamAV. The detection rates of their signatures are rather poor, but since it is open-source, one can easily write custom patterns. In one enterprise environment, I do so for malware captured by a honeypot network, if they are not detected by other AV scanners yet.

Long story short: Try not to use Windows in your network. If you have to, let users log onto terminal servers in a dedicated network, so they cannot infect other parts of your infrastructure.

To my understanding, yes.

Thanks, and best regards,
Peter Müller

3 Likes