Ok I am fresh out of ideas really on how to track down what appears to be Conficer activity behind our firewall!!!
Story thus far... Blocked by CBL saying we have CONFICKER activity behind our firewall. I do not know how they check however if you check out this page you can see all the info I have:
http://cbl.abuseat.org/lookup.cgi?ip=96.243.163.82
So they are claiming that we are showing Conficker activity... Ok so here is where things get muddy... So we have Trend Micro OfficeScan installed campus-wide here and it is not detecting anything. However this isn't the first time that OfficeScan hasn't found viruses that I have found the .exe for and directly told it to "SCAN THIS FILE"... /facepalm.
So I took to our newly installed Palo Alto PA-3020 and started looking at things there (note that I am 100% new to Palo Alto firewalls) and under the monitoring I can see a couple of boxes that are causing issues so I hop on them and run some tools to remove various garbage that A/V didn't pick up.
However we are still getting blocked from CBL for the same reason.
From that point on I have done whatever I could think of including running nmap internally looking for infected machines, I have setup rules to block attempts to connect to port 445, I have checked all servers for infection... nothing turns up anything.
Here is the last strange part... I know there is activity behind the firewall SOMEWHERE that is Conficker related because I am seeing DNS requests for Conficker sites. My problem is that all the machines in my domain are pointed to our DNS servers which then make the outgoing request. So for every query I am seeing my DNS server(s) which I do not have any indication of anything running on those machines.
How can I find the machines making the DNS requests to our DNS servers? Obviously that is what is being triggered. The obvious answer is that I should use Wireshark however it's too random as to when it happens. It can be dormant for a couple of hours then blast for 30 seconds and with my DNS servers, generally I can get ~5 minutes of Wireshark capture before things start to get silly and/or Wireshark just crashes.
I'm out of ideas.
As I was writing this I turned on DNS Debug logging on the DNS servers to see if I could match up what our firewall was saying to what the DNS server has to try to track it down and so far I'm waiting on hits.
Thanks,
Ryan