[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1080
  • Last Modified:

Mass mailing worm got past mcafee

Hi all
Our domain recently was blacklisted as a spam source. Upon investigation in the firewall logs it was found that a particular pc on our network was infected by a mass mailing virus.
By viewing the edge firewall logs, I saw several outbound connections on port 25.
The infected machine also was listening on port 25 so it seems the virus also acted
as an smtp server. The scary thing is that mcafee 8.7i by default BLOCKS mass mailing
worms on port 25. When I tried manually to connect on port 25 to an arbitrary mail server
the connection is blocked by mcafee however. Can someone explain to me how this virus
could still be sending mails on port 25?
  • 3
  • 3
  • 3
1 Solution

Some viruses use NDIS driver that allow it to bypass your OS/Antivirus. You should use a HIPS which has more capabilities to defeat such threats.

Read this great document about bypassing security products:


A Symantec Certified Specialist @ your service
anarineAuthor Commented:
I've read about HIPS. How does that differ from antivirus or firewall?
Good link
HIPS is smarter than a firewall in detecting threats and blocking them. It uses two ways to identify attacks: signatures and behavior analysis.

Read more about IPS

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Mohamed OsamaSenior IT ConsultantCommented:
The 25 port could also be a proxy tha only relays spam or uses some sort of encrypted handshake to identify Authorized hosts for usage.
BTW , there is no Real need for an SMTP service to bind to TCP 25, this is ust the protocol standard, Malware users can if they wish use pretty much any TCP port to bind their server to, if the machine is still infected or is still available, you can run a protocol analyzer like Wireshark to give you a better idea about the network traffic the malware generates.
you can also get a name about the malware, which will help you track exactly the changes it made to your system, if you are able to upload the work binaries to ww.virustotal.com this should be a good start.
Mohamed OsamaSenior IT ConsultantCommented:
the above link should be http://www.virustotal.com/ 
Please let us know if you have already cleaned / rebuilt the machine or if you need assistance withcleanup also.

anarineAuthor Commented:
My main concern is that the edge firewall showed multiple outbound connections on port 25 to various domains from the computer infected with the virus. What is shocking to me is that the worm
was able to create outbound connections on port 25, despite the fact that mcafee antivirus was installed, up to date and blocking mass mailing worms on that port..This is scary
Mohamed OsamaSenior IT ConsultantCommented:
I am not exactly sure I get you here , when you mention that Mcafee will block outbound SMTP connections by default.
I would think it will block the local machine from opening the SMTP port  to use the machine as a mail server or from running hidden outlook automation tasks, if it failed to do so, then maybe the program was inactive when the infection occured, and the malware has further disabled it later on,  correct me if I am wrong here, but outbound connections  to mail servers usually are not blocked by default, as there may be legit use for them , like sending normal mail through an external server, or other valid reasons.

1) You need to review the FW's policies and deny and outbound connection to port 25 from all clients except mail server(s) / antispam appliance.

2) AV products are not perfect, and any zero-day worm/virus can bypass it easily without any problem.

3) You need to submit any suspicious samples to mcafee for analysis and build a new definitions if they are needed.

4) The following checklist is your best friend to fight spam-bots and keep your MX record away from blacklists:

1) Authorized servers only: Allow your authorized mail server or anti-spam solution (ex. ironmail/ironport/barracuda..etc) to send SMTP (tcp/25) traffic outside your network. Otherwise, you'll face the blacklisting penalty and it would take a while to clear your IP.

2) Don't leave the Wifi LAN un-firewalled: I found many customers who got blacklisted becuase they forgot to secure the Wifi LAN and allowed Any traffic to leave. They didn't calculated the risk of infected laptops. Start with allowing common protocols such as HTTP/HTTPS/POP3/, turn on AV scanning, DPI (Deep Packet Inspection), Web Filtering (ex. SurfControl).

3) Know your traffic: You should be aware of every inbound/outbound bit in your network. There are a lot of solutions which will sniff and study the type of generated traffic on the wire, so you can get a full picture of what's going on at the moment. Check the following vendors and their solutions:


4) MX reputation monitoring: This is a very nice way for early warning before they blacklist your IP. These monitoring services will evaluate the "reputation" level and warn you. For instance, http://www.towerdata.com/services/email/deliverability/repcheck.html

5) Antivirus & HIPS: I don't need to discuss too much about this point. Many MX blacklisting incidents happened due to a computer left without installing antivirus scanner. So, always scan your network and push the AV client.  Don't allow untrusted laptops to use your network unless they are protected and clean. Some companies follow the rule of: keep your laptop off, we will give your ours !. HIPS is an excellent layer of defense that complements the AV scanner.

6) FW/Router Logs: You need to enable logging of any rule that allow outbound SMTP traffic, so you can later check the source of any suspicious spam traffic from inside-to-outside.

You should use a combination of sniffers and port scanners to detect spam bots, Check the following:

1) Wireshark, download it from (http://www.wireshark.org/download.html)

You need to connect it to a managed switch with the support of monitoring port (Cisco calls it SPAN). Or use a Hub. The last option is to use a network TAP (http://en.wikipedia.org/wiki/Network_tap) from some vendor like NetOptics (http://www.netoptics.com/products/product_family.asp?cid=1).

2) Another sniffing tool is Tcpick (linux based), download it from (https://sourceforge.net/projects/tcpick/).

Here how to sniff port 25:

#tcpick -i eth0 -C -bCU -T1 "port 25"

3) Nmap is the best port scanning tool, download it from (http://nmap.org/download.html)

here how to scan for port 25 (change with your network range)

#nmap -sS -p 25

4) TCPDump is another good sniffer, download it from (http://www.tcpdump.org/)

Here how to sniff port 25

#tcpdump -i eth0 port 25

A Symantec Certified Specialist @ your service

anarineAuthor Commented:
I suppose the best measures would be to disable outbound 25 on all devices except the mail server and to set my Antivirus clients to update every hour from our EPO server.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 3
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now