Solved

find infected client in network

Posted on 2014-01-09
30
1,229 Views
Last Modified: 2014-01-14
Hi Experts,

when I check CBL, we are infected with a botnet.
But how to find the client in our network ?
We have nearly 400 clients .
0
Comment
Question by:Eprs_Admin
  • 12
  • 8
  • 7
  • +2
30 Comments
 
LVL 25

Assisted Solution

by:Zephyr ICT
Zephyr ICT earned 192 total points
ID: 39767651
Use a sniffer? Example http://www.wireshark.org/

Place it strategically (e.g: close to the perimeter where all traffic passes), set up the monitoring port,capture all traffic and try to trace the suspicious packets back to the infected device.

More info: http://wiki.wireshark.org/CaptureSetup/Ethernet
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 56 total points
ID: 39767666
Also block all clients sending email (TCP Port 25) from all IP addresses except your mail server(s) at your firewall.
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 56 total points
ID: 39767675
0
 
LVL 15

Assisted Solution

by:jerseysam
jerseysam earned 224 total points
ID: 39767881
Check event logs on server for ID 1708

this usually gives you the user who is infected and spamming the server
0
 

Author Comment

by:Eprs_Admin
ID: 39767899
on which server ?
0
 
LVL 15

Assisted Solution

by:jerseysam
jerseysam earned 224 total points
ID: 39767910
The exchange server
0
 
LVL 15

Assisted Solution

by:jerseysam
jerseysam earned 224 total points
ID: 39767914
You may notice issues with mails being queued or generated when you look at your exchange mail queues
0
 

Author Comment

by:Eprs_Admin
ID: 39767935
where do I find the mail queue ?
0
 
LVL 15

Assisted Solution

by:jerseysam
jerseysam earned 224 total points
ID: 39767940
0
 
LVL 15

Assisted Solution

by:jerseysam
jerseysam earned 224 total points
ID: 39767941
That is of course if the infected client is sending out spam mails.
0
 

Author Comment

by:Eprs_Admin
ID: 39767974
on my exchnage I just can see some emails not sent, because of blacklisting.
But nothing strange on it.

No eventlogs with ID 1708
0
 

Author Comment

by:Eprs_Admin
ID: 39767981
This is the message from CBL:

IP Address MY is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2014-01-09 09:00 GMT (+/- 30 minutes), approximately 3 hours, 30 minutes ago.

This IP is infected with, or is NATting for a machine infected with s_ransomware

Note: If you wish to look up this bot name via the web, remove the "s_" before you do your search.

This was detected by observing this IP attempting to make contact to a s_ransomware Command and Control server, with contents unique to s_ransomware C&C command protocols.

This was detected by a TCP/IP connection from MY on port 53446 going to IP address 173.193.197.194 (the sinkhole) on port 80.

The botnet command and control domain for this connection was "evurqpbeuqxmwl.info".

Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 173.193.197.194 or host name evurqpbeuqxmwl.info on any port with a network sniffer such as wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to 173.193.197.194 or evurqpbeuqxmwl.info. See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.

This detection corresponds to a connection at 2014-01-09 09:26:38 (GMT - this timestamp is believed accurate to within one second).

These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer.

You will need to find and eradicate the infection before delisting the IP address.

Norton Power Eraser is a free tool and doesn't require installation. It just needs to be downloaded and run. One of our team has tested the tool with Zeus, Ice-X, Citadel, ZeroAccess and Cutwail. It was able to detect and clean up the system in each case. It probably works with many other infections.

We strongly recommend that you DO NOT simply firewall off connections to the sinkhole IP addresses given above. Those IP addresses are of sinkholes operated by malware researchers. In other words, it's a "sensor" (only) run by "the good guys". The bot "thinks" its a command and control server run by the spambot operators but it isn't. It DOES NOT actually download anything, and is not a threat. If you firewall the sinkhole addresses, your IPs will remain infected, and they will STILL be delivering your users/customers personal information, including banking information to the criminal bot operators.

If you do choose to firewall these IPs, PLEASE instrument your firewall to tell you which internal machine is connecting to them so that you can identify the infected machine yourself and fix it.

We are enhancing the instructions on how to find these infections, and more information will be given here as it becomes available.

Virtually all detections made by the CBL are of infections that do NOT leave any "tracks" for you to find in your mail server logs. This is even more important for the viruses described here - these detections are made on network-level detections of malicious behaviour and may NOT involve malicious email being sent.

This means: if you have port 25 blocking enabled, do not take this as indication that your port 25 blocking isn't working.

The links above may help you find this infection. You can also consult Advanced Techniques for other options and alternatives. NOTE: the Advanced Techniques link focuses on finding port 25(SMTP) traffic. With "sinkhole malware" detections such as this listing, we aren't detecting port 25 traffic, we're detecting traffic on other ports. Therefore, when reading Advanced Techniques, you will need to consider all ports, not just SMTP.

Pay very close attention: Most of these trojans have extremely poor detection rates in current Anti-Virus software. For example, Ponmocup is only detected by 3 out of 49 AV tools queried at Virus Total.

Thus: having your anti-virus software doesn't find anything doesn't prove that you're not infected.

While we regret having to say this, downloaders will generally download many different malicious payloads. Even if an Anti-Virus product finds and removes the direct threat, they will not have detected or removed the other malicious payloads. For that reason, we recommend recloning the machine - meaning: reformatting the disks on the infected machine, and re-installing all software from known-good sources.
WARNING: If you continually delist MY without fixing the problem, the CBL will eventually stop allowing the delisting of MY.

If you have resolved the problem shown above and delisted the IP yourself, there is no need to contact us
0
 

Author Comment

by:Eprs_Admin
ID: 39767985
What can I do now ?
The botnet tries to steal banking data.
Should I block all traffic to this IP ?
0
 
LVL 15

Assisted Solution

by:jerseysam
jerseysam earned 224 total points
ID: 39767987
Ok,

not hitting exchange then. Shame as that can be a good way of telling who is infected.

Ok, Ave you tried using tcpview and tcpvcon?

You can find a good article here with download links to tcpview and tcpvcon both:

http://cbl.abuseat.org/advanced.html
0
 
LVL 15

Assisted Solution

by:jerseysam
jerseysam earned 224 total points
ID: 39767990
Yes for now stop traffic. You need to minimise damage until you can find the culprit
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 25

Assisted Solution

by:Zephyr ICT
Zephyr ICT earned 192 total points
ID: 39767992
Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 173.193.197.194 or host name evurqpbeuqxmwl.info on any port with a network sniffer such as wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to 173.193.197.194 or evurqpbeuqxmwl.info. See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.


Like I said, Wireshark will be your best bet I think ...
0
 

Author Comment

by:Eprs_Admin
ID: 39767999
on the firewall I created a policy to scan traffic from inside to the botnet IP.
Since now there is no traffic yet.
0
 

Author Comment

by:Eprs_Admin
ID: 39768016
with wireshark, can I scan my whole network from my station ?
0
 
LVL 25

Assisted Solution

by:Zephyr ICT
Zephyr ICT earned 192 total points
ID: 39768040
with wireshark, can I scan my whole network from my station ?

If you have a switch where all traffic runs trough you could put a port in monitor and scan all traffic that goes over the switch... Or you can place yourself in some strategic place and scan sections of the network
0
 

Author Comment

by:Eprs_Admin
ID: 39768111
ok, my servers are all connected to the main switch, also the firewall is connected here.
So I can install wireshark on a server and scan all, right ?
0
 
LVL 15

Assisted Solution

by:jerseysam
jerseysam earned 224 total points
ID: 39768124
Hi

I have not verified this bit of software, but might help get you sorted?:

http://www.bothunter.net/
0
 
LVL 25

Assisted Solution

by:Zephyr ICT
Zephyr ICT earned 192 total points
ID: 39768375
ok, my servers are all connected to the main switch, also the firewall is connected here.
So I can install wireshark on a server and scan all, right ?

You can do it like that, best is to take a laptop with Wireshark on it and connect it to this main switch, just make sure that the port where Wireshark is connected is in monitor mode, otherwise you will not see all traffic.
0
 

Author Comment

by:Eprs_Admin
ID: 39768387
ok, hopefully I can set this port settings on a HP switch.
0
 
LVL 25

Assisted Solution

by:Zephyr ICT
Zephyr ICT earned 192 total points
ID: 39768741
0
 
LVL 25

Accepted Solution

by:
Fred Marshall earned 28 total points
ID: 39768776
I generally monitor (mirror) ports one at a time... but that's for a smaller bank.
If you monitor a focal point port (going to the firewall for example) then you should be able to see almost all the traffic right there and should be able to ascertain the LAN IP address(es) that are involved in the rogue traffic.
The trade between monitoring various ports is that the port to the firewall will have LOTS of packets and the port to a single computer will have less.  You can always start with more in that it shouldn't take much time to figure out what's going on.
0
 

Author Comment

by:Eprs_Admin
ID: 39770512
do you maybe have a simple manual for wireshark ?
I just want to set scan only the destination ip
0
 

Author Comment

by:Eprs_Admin
ID: 39770537
strange is, today we are not listed on CBL, but when I check mxtoolbox.com, we are still listed.
Do you know why ?
0
 
LVL 25

Assisted Solution

by:Zephyr ICT
Zephyr ICT earned 192 total points
ID: 39770566
You could try with a display filter like this:

! ( ip.addr == 173.193.197.194  )

or

! ( ip.dst == 173.193.197.194  )

This will filter the traffic to show only that IP-address ...
0
 
LVL 25

Assisted Solution

by:Zephyr ICT
Zephyr ICT earned 192 total points
ID: 39770601
strange is, today we are not listed on CBL, but when I check mxtoolbox.com, we are still listed.
Do you know why ?

Maybe it was a false positive? Or someone de-listed it already... It can take a while to be removed from all black-list services.
0
 

Author Comment

by:Eprs_Admin
ID: 39778656
Thnaks for all your help, we found some machines with trojans.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now