Emotet is back again

capote · November 16, 2021, 12:56pm

…and will waste our time and resources to fight against.

abuse.ch provides some sources about the tracker IPs. “We urge you to BLOCK these command and control servers and regularly update your block list to receive the maximum protection,”

Is it possible to integrate these database of tracker IPs into Nethserver?

They also provide an API: https://urlhaus.abuse.ch/browse/

Somethink about the architecture of Emotet.

capote · November 16, 2021, 2:12pm

there is a blacklist, but pihole cannot process it: https://urlhaus.abuse.ch/downloads/text/

but https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
works
[✓] Status: Retrieval successful
[i] Analyzed 246 domains

capote · November 16, 2021, 2:18pm

Probably it can be blocked by CalamAV GitHub - StefanKelm/yara-rules: Links to malware-related YARA rules

Some rules may be outdated, others may lead to false positives.

capote · November 16, 2021, 2:25pm

other blocklists, inlc. Suricata: Feodo Tracker | Blocklist

https://feodotracker.abuse.ch/downloads/feodotracker.rules

capote · November 16, 2021, 2:34pm

OPNSense has integrated them

capote · November 16, 2021, 3:05pm

…but if I activate it, my small box overloaded.

mrmarkuz · November 16, 2021, 10:00pm

Thread shield has the feodo lists by abuse.

dnutan · November 16, 2021, 10:02pm

They should be there (but they aren’t) when using the firehol blocklists but currently the urls are wrong and the contents of abuse.ch related files is empty.
There are some open bugs on firehol issue tracker but seems an unresolved problem from time ago:

m.traeumner · November 18, 2021, 8:25am

At the link @capote posted are the IP’s at a textfile

https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt

Aren’t we able to create an own blacklist and import this one by a cronjob?

An additional question, where can I find the block-lists of threadshield?

dnutan · November 18, 2021, 9:18pm

Stored under /usr/share/nethserver-blacklist/ipsets/, if I’m not mistaken.

m.traeumner · November 19, 2021, 9:28am

No, you aren’t. Thanks for the answer.
I’ve done some testing, activating Feodo as Category and adding IP addresses manually to feodo.ipset works after restarting shorewall till next renewing of the file. At the feodo.ipset file is a comment

# List source URL : https://feodotracker.abuse.ch/blocklist/?download=ipblocklist
but the address of the list is

https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt

Now I’m searching for the configuration file to set the right download address for the list.
@giacomo Can you help?

giacomo · November 19, 2021, 2:05pm

You need to have those IPs inside the git repository. You can hope Firehole will fix it or create a new git repository, see nethserver-blacklist — NethServer 7 documentation

m.traeumner · November 22, 2021, 12:24pm

Thanks for your answer.
I’ve also seen I’ve gotten a system mail with a fetch error:

Cron root@groupware sleep $(( ( RANDOM % 60 ) )); /usr/share/nethserver-blacklist/download ipsets

[ERROR] Can’t update blacklist repository: fetch failed

Now I tried to install an own git repository, but the installation described at the documentation doesn’t work for me, because the ius repository is not found.
I did the following steps:

yum install -y https://github.com/firehol/packages/releases/download/2020-02-18-0552/firehol-3.1.6-12.el7.noarch.rpm https://github.com/firehol/packages/releases/download/2020-02-18-0552/iprange-1.0.4-2.el7.x86_64.rpm unzip https://centos7.iuscommunity.org/ius-release.rpm

This step works fine.

yum install -y git216-core --enablerepo=ius

This gives the following error:

Error getting repository data for ius, repository not found
[root@project ~]# Error getting repository data for ius, repository not found

Has somebody an idea?

mrmarkuz · November 22, 2021, 7:32pm

The ius repo seems to have changed:

yum install https://repo.ius.io/ius-release-el7.rpm

git216-core isn’t available anymore but git224-core is provided:

yum install -y git224-core --enablerepo=ius

m.traeumner · November 23, 2021, 9:19am

Thanks Markus,
this works and I have done a pullrequest for the documentation.

capote · November 23, 2021, 10:54am

I got an error:
yum install -y git224-core --enablerepo=ius


Loaded plugins: changelog, fastestmirror, nethserver_events

Loading mirror speeds from cached hostfile


nethforge: mirror.alpix.eu
remi-safe: mirror.23m.com
sb-base: u3.nethserver.com
sb-centos-sclo-rh: u3.nethserver.com
sb-centos-sclo-sclo: u3.nethserver.com
sb-epel: u3.nethserver.com
sb-extras: u3.nethserver.com
sb-nethserver-base: u3.nethserver.com
sb-nethserver-updates: u3.nethserver.com
sb-updates: u3.nethserver.com

stephdl: stephdl.dargels.de Resolving Dependencies → Running transaction check —> Package git224-core.x86_64 0:2.24.4-1.el7.ius will be installed → Processing Conflict: git224-core-2.24.4-1.el7.ius.x86_64 conflicts git-core < 2.24.4-1.el7.ius → Finished Dependency Resolution Error: git224-core conflicts with git-1.8.3.1-23.el7_8.x86_64

it doesn’t help:
You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest

mrmarkuz · November 23, 2021, 11:08am

You already installed git so it conflicts with git224-core. Please remove it and try again:

yum remove git

capote · November 23, 2021, 1:01pm

yes, that works, but removed Tread Shield completely. I reinstalled and all is fine.
Thank you!

m.traeumner · November 23, 2021, 1:20pm

You can’t install the git repository and Threadshield at the same server.

capote · November 23, 2021, 1:22pm