Spamhaus Blacklising due to Win32/Zbot - need help identifying infected machine.

Posted on 2012-08-15
Last Modified: 2013-11-22
The network has a standard netgear DG834 router in place and operating systems are a mixture of server 2003, windows XP and windows 7.

Got the spamhaus message today that outgoing mail was blocked because IP address is in CBL. Usually I take a shotgun approach and lock down / scan all the nodes on the network - however according to the spamhaus explanation of the threat this will probably not work with this particular virus as it has a very poor detection rate with current AV software.

It suggests that I "search for TCP/IP connections going to IP address or (less often), usually destination port 80 or 443, but you should look for all ports." How do I go about doing this?

Many thanks in advance
Question by:VogueSoftware
    LVL 20

    Expert Comment

    I suggest you use wireshark to sniff traffic originating from some machines.
    If you are able to view NAT tables in your NetGear, it might be even a quicker method

    Author Comment

    Thanks hagman,

    I'll read up on wireshark in a bit but in the meantime can you tell me if this runs on one machine and scans the entire network or whether it has to run on individual clients?

    Author Comment

    Just looking through the netgear interface see if I can see a way to view the NAT tables. The logs appear to be very limited in the information they display. Here is a screengrab of the main dashboard see if anyone can see anything I've missed.

    Author Comment

    Will wireshark work on what is essentially a peer-to-peer network (as opposed to all clients being joined to a domain) and if so does it matter which machine I run it from?

    Accepted Solution

    The procedure I followed for resolving this issue was to read the explanation in the Spamhouse / CBL report which suggested the likely IP addresses that the infected machines would be attempting to contact.

    I then created a firewall rule in the netgear dg834 router to block and log any outbound traffic to this address. This allowed me both to identify the local IP address of the infected machine and prevent any further outbound connection (and consequent relistings) while I was disinfecting the PC.

    Author Closing Comment

    I received no further feedback on wireshark but it turned out that it wouldn't work in that particular infrastructure. On this occasion all the tools I needed were in the interface to the Netgear DG834 router.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    This video discusses moving either the default database or any database to a new volume.

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now