Having had a chance to go thru the capture files, that was a lot of packets over just a very few minutes, but not a lot of variation in what it was doing: spam. Both email and, apparently web forum. The email is easy enough to control, but the forum stuff is going to be a little harder to herd.
About port 53 and the DNS server queries. The traffic in the capture files is normal stuff, so far. It’s going to your ISP nameservers. But we need to make sure that’s the only place that these queries are going. I don’t know what you’ve used in CFP rules, so I’ll outline what I think should work.
To simplify things a little, create a network zone. I’ll call it “DNS servers” in what follows. In this zone, you’ll list two host addresses: 12.183.0.2 and 12.183.1.4. These are your ISP nameservers, according to the capture files.
In Global Rules, you’ll need to add these 5 rules:
allow TCP/UDP out from anyhost anyport to zone[dns servers] port 53
block&log TCP/UDP out from anyhost anyport to anyhost port 53
allow TCP/UDP in from zone[dns servers] port 53 to anyhost anyport
block&log TCP/UDP in from anyhost port 53 to anyhost anyport
allow ICMP in from zone[dns servers] to anyhost
The first 2 rules will allow outbound queries only to your ISP, and the second 2 rules will only allow your ISP to answer back. Anything else gets blocked. The ICMP rule allows network error messages to come back from your ISP. These rules should make any DNS spoofing somewhat more difficult, and still allow you to have a working Internet name lookup service.
These rules should be at the top, or real close to the top, of your Global Rules.
In the capture files, it looks like the command-and-control host is 67.210.97.77, which seems to trace back to a co-lo box/router in Las Vegas NV. Blocking that host address likely wouldn’t work, as the malware would simply shift over to another host. The malware does have a list, and expects C&C machines to go offline as they are identified and cleaned up.
So the control tactic is going to have to be along the lines of “default deny” CFP rules, which follows the same form as the DNS nameserver rules I outlined above. It goes like this:
Edit “my port sets” for HTTP ports. The predefined set of ports is 80, 443, and 8080 on my machine. We want just ports 80 and 443.
Now create another network zone. I’ll call it “legit web sites”. In this zone you’ll add the names and addresses of web sites that you need to use, like www.comodo.com. You can use host names, as well as Internet addresses.
In Global Rules, you’ll need to ad these rules after the nameserver rules (otherwise hostname lookups won’t work)
allow TCP out from anyhost anyport to zone[legit web sites] portset[HTTP ports]
block&log TCP out from anyhost anyport to anyhost portset[HTTP ports]
Then it should be only a case of adding known good sites into the “legit web sites” zone. That may be tedious for a little while. That should let you get out on the web safely, and keep the bad guys at bay. Then we can get on with the cleanup, without the worry of having the rug pulled out from under in the process.
You can watch traffic with Wireshark. You’ll see a lot of DNS traffic, as the malware will be making efforts to find a way home. So long as it’s your ISP nameservers that it’s talking to, all those DNS queries will be noise and not a problem.
Your CFP log will likely get large, and quickly. If you could, upload the raw CFP binary logfile. I’ve got the tools available to read the file directly. The log is located, on a WinXP box, in \Documents and Settings\All Users\Application Data\Comodo\Firewall Pro\cfplogdb.sdb.