Spamhaus Blacklising due to Win32/Zbot - need help identifying infected machine.

Posted on 2012-08-15
Medium Priority
Last Modified: 2013-11-22
The network has a standard netgear DG834 router in place and operating systems are a mixture of server 2003, windows XP and windows 7.

Got the spamhaus message today that outgoing mail was blocked because IP address is in CBL. Usually I take a shotgun approach and lock down / scan all the nodes on the network - however according to the spamhaus explanation of the threat this will probably not work with this particular virus as it has a very poor detection rate with current AV software.

It suggests that I "search for TCP/IP connections going to IP address or (less often), usually destination port 80 or 443, but you should look for all ports." How do I go about doing this?

Many thanks in advance
Question by:VogueSoftware
  • 5
LVL 20

Expert Comment

ID: 38298256
I suggest you use wireshark to sniff traffic originating from some machines.
If you are able to view NAT tables in your NetGear, it might be even a quicker method

Author Comment

ID: 38298295
Thanks hagman,

I'll read up on wireshark in a bit but in the meantime can you tell me if this runs on one machine and scans the entire network or whether it has to run on individual clients?

Author Comment

ID: 38298318
Just looking through the netgear interface see if I can see a way to view the NAT tables. The logs appear to be very limited in the information they display. Here is a screengrab of the main dashboard see if anyone can see anything I've missed.
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.


Author Comment

ID: 38298390
Will wireshark work on what is essentially a peer-to-peer network (as opposed to all clients being joined to a domain) and if so does it matter which machine I run it from?

Accepted Solution

VogueSoftware earned 0 total points
ID: 38575395
The procedure I followed for resolving this issue was to read the explanation in the Spamhouse / CBL report which suggested the likely IP addresses that the infected machines would be attempting to contact.

I then created a firewall rule in the netgear dg834 router to block and log any outbound traffic to this address. This allowed me both to identify the local IP address of the infected machine and prevent any further outbound connection (and consequent relistings) while I was disinfecting the PC.

Author Closing Comment

ID: 38590222
I received no further feedback on wireshark but it turned out that it wouldn't work in that particular infrastructure. On this occasion all the tools I needed were in the interface to the Netgear DG834 router.

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question