Email exploit sneaking by?

BrotherRain · October 28, 2007, 10:05pm

I visited a website, got a pop up and closed it. ■■■■, the screen went black and I thought oh ■■■■… Sure enough something got in, an HTML hack of some sort. Norton’s alerts me to it’s scanning an outgoing email. Wait… I’m not sending any email and suddenly emails start flying out of my PC.

So I cut the connection to my LAN. I have a quick launch shortcut to enable/disable the LAN connection. I’m smarter than the average user online, I’m a certified Windows Admin, resell webspace, do HTML/javascript and webdesign on the side and so on. Not too shabby at BASIC programming either.

My system, WinXP Pro SP2, 3 GB RAM, 256 MB video, etc etc etc… I’ve got Norton’s 2005 with definitions of 10/27/07 (less than a day old) and tried a full scan, even talked online to 3 so-called analysts with Symantec. They were useless. I have Ad-Aware 2007, latest defs. No joy there either. I scanned everything. They all say it’s clean as can be.

So how come I see this when I do netstat as soon as I see traffic on my LAN:

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1033 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1047 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 :
UDP 0.0.0.0:500 :
UDP 0.0.0.0:1025 :
UDP 0.0.0.0:1028 :
UDP 0.0.0.0:1038 :
UDP 0.0.0.0:3541 :
UDP 0.0.0.0:4500 :
UDP 127.0.0.1:123 :
UDP 127.0.0.1:1900 :

It gets better, wait a few moments and then I do another netstat as I watch Norton’s continue to scan more outgoing email that I didn’t authorize…

Active Connections

Proto Local Address Foreign Address State
TCP darpa-c5w6oazd1:3538 localhost:1047 TIME_WAIT
TCP darpa-c5w6oazd1:3543 localhost:1047 TIME_WAIT
TCP darpa-c5w6oazd1:3526 192.168.2.6:netbios-ssn TIME_WAIT
TCP darpa-c5w6oazd1:3527 74.208.13.39:https TIME_WAIT
TCP darpa-c5w6oazd1:3528 208.65.60.87:http TIME_WAIT
TCP darpa-c5w6oazd1:3529 208.66.69.238:https TIME_WAIT
TCP darpa-c5w6oazd1:3530 208.66.69.238:https TIME_WAIT
TCP darpa-c5w6oazd1:3533 208.65.60.87:http TIME_WAIT
TCP darpa-c5w6oazd1:3534 208.65.60.87:http TIME_WAIT
TCP darpa-c5w6oazd1:3540 74.208.13.39:https TIME_WAIT
TCP darpa-c5w6oazd1:3545 74.208.13.39:https TIME_WAIT

I do some WHOIS and tracert stuff and come up with some websites that basically have just placeholders for their pages. Hmmmm… dig this:

Active Connections

Proto Local Address Foreign Address State
TCP darpa-c5w6oazd1:3574 u15250010.onlinehome-server.com:https TIME_WAIT
TCP darpa-c5w6oazd1:3575 u15250010.onlinehome-server.com:https TIME_WAIT

208.66.69.238
Record Type: IP Address

OrgName: InterWeb Media
OrgID: INTER-280
Address: 2617 Lippe
City: Montreal
StateProv: QC
PostalCode: H4R-1L9
Country: CA

74.208.13.39
Record Type: IP Address

OrgName: 1&1 Internet Inc.
OrgID: 11INT
Address: 701 Lee Rd
Address: Suite 300
City: Chesterbrook
StateProv: PA
PostalCode: 19087
Country: US

So I find Comodo and install. I am successful at blocking a few ports, fully block the IP’s involved but guess what, the mail shifts to new IP’s and ports. All on the same IP ranges that these guys run…

What are the emails going out? SPAM for ■■■■■ enlargement, ■■■■■ sites, you name it. Nothing with my name on it, nothing showing it came from my PC… it’s all pre-formed with some funky return addresses. Dead-end spoofed stuff. And my PC is a zombie relay.

Comodo was able to do what NAV and AdAware couldn’t: name the parent causing the email:

C:\WINDOWS\Temp\1023640863.exe

So I go with glee, I am going to kill this evil file. Um, it’s not there. I searched. Nothing. Then the log shows another parent: 1104726938.exe in the same folder. Um, no it isn’t. No *.exe at all in that folder.

I’ve contact my ISP to inform them of the situation and they were fairly useless as well. I realize I may have to wipe the system and reinstall but that’s a last resort. I’ve got 3/4 of a terrabyte of drives here. Formatting is a nuclear meltdown type of solution.

Any ideas? It’s isn’t a known worm/trojan/virus/spyware or it’d been picked up by NAV/AdAware. It’s most likely an exploit of Windows and IE 6.0…

~ Thanks (:KWL)

grue155 · October 28, 2007, 10:25pm

You’ve done the difficult part, to confirm that there is a malware infection of some kind. So the next steps are to contain, and to remove.

I’ll suggest these steps: have CFP block all outbound TCP connections attempted to ports 25, 587, and 465. Those are the standard, and not so standard, email ports. Malware can’t send spam if it can’t connect to the mail servers.

Your netstat is showing also https connection. That’s SSL web surfing, on TCP port 443. If you block outbound TCP 443, that should make things a little tougher for the malware to call home.

For removal, the standard method I know of is to run a HiJackThis scan, and post your scan log to one of the web forums that specialize in malware cleanup. castlecops.com, bleepingcomputer.com, techsupportforum.com, spywareinfo.com, techguy.org, or any of the others that are out there. Be aware that the helpers are volunteers, and they’re always overloaded. It can take a couple of days, to more than a week, for them to get to you. If the malware can be cleaned out, they can do it as they keep the tools on hand to do it. And they’re very sharp tools.

Ragwing · October 28, 2007, 10:35pm

Greetings,

I’m not an expert but…
Is there any suspicious file when you run HijackThis? Can you find this suspicous file in task manager?
Else, there’s another program, named RunScanner(found at http://www.runscanner.net/) which shows more stuff than HijackThis.

Seems like this file changes it names from time to time, as you can’t find it by the search function.
Can you possible see the file this way:

Open cmd.exe
cd C:\WINDOWS\Temp\
attrib

Else, if you try to delete the Temp-folder, do you get an error message saying some file can’t be deleted?

Ragwing

jasper2408 · October 28, 2007, 10:57pm

Sounds like it’s time for emergency measures. Can you get a good copy of CAVS, Comodo BOClean or Avast Free AV and get them to install? I know this is not a standard way to use CBOC or an AV but it might be worth a try. I have installed CAVS, Avast Free, and CBOC down in the middle of an infection before and they were able to find the infection. This was a virus that Norton Corporate missed.

I would try getting something on there as soon as possible to try and stop it then you can clean it up. I would also unplug the extra drives to keep it from spreading to them if it already hasn’t. Of course shut the pc down first before unplugging anything.

jasper

Ragwing · October 28, 2007, 11:02pm

If Avast doesn’t find it, I suggest Avira AntiVir, it got best detection rates for viruses(at least the premium one does). And try using the heurisitc scanning and see if it finds something.
But you should post an HijackThis log.

Ragwing

panic · October 28, 2007, 11:03pm

G’day,

Any money, the file “C:\WINDOWS\Temp\1023640863.exe” (or similarly named file) is being dynamically generated. It, to a certain extent, isn’t the problem, you need to find out what is generating this file. Download and run HijackThis (or some other similar utility) and post the logs back here (as an attachment, please).

Ewen

grue155 · October 28, 2007, 11:06pm

It dawned on me a few moments ago, that your netstat isn’t complete. Its missing the standard Windows ports 135, 137,139… that bunch. Did you edit your listing, or did you configure your machine not to use Windows networking, or has the malware masked something?

Have you tried a “netstat -anob” to see what programs are running on what port? I don’t recognize 3541/udp, and a google search tells me it’s a VoIP port.

If you’re running as a spam zombie, there is very likely a command&control port active. CFP being installed may have blocked it, and may not. Check your CFP logs (Activity → Logs) for inbound connections.

Melih · October 29, 2007, 1:54am

we should try this site with CMG, i think they have done a drive by download which CMG would prevent.

Try CFP v3 beta it will give you more (much more) info and will catch whats happening at earlier stages.

Melih

Zito · October 29, 2007, 5:29pm

You can check to see if you’re running an Open Relay here

You should be able to check whether something has been installed which shouldn’t be there by running REGEDIT and then navigating to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Everything in the right hand pane launches on Startup.
Same goes for the Current User registry key located at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

It also sounds like you need to take steps to secure your browser. CERT.org has some good tips for that, link here