I think the Russians are invading. I need some help asap on an issue we are having with the composite blocking list - a public blacklisting site many email servers use (I guess) to check for viruses/spam/etc.
Background: We are a telephone answering service that sends out around 3000 legitimate emails a day in messages to our customers using an internal pop3 service on our windows server 2003 machine. A few days ago, some of our customers complained about not getting their emails, but some were. It turns out in an error message, I was told to go to spamhaus.org, and check my IP. Upon checking with spamhaus.org, it turns out our IP had been blacklisted by the composite blocking list. Upon punching in our public IP address to cbl.abuseat.org, I got the following message:
IP Address ***.***.***.*** is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2014-03-22 13:00 GMT (+/- 30 minutes), approximately 1 hours ago.
It has been relisted following a previous removal at 2014-03-21 20:02 GMT (18 hours, 17 minutes ago)
This IP address is infected with, or is NATting for a machine infected with Feodo.
Feodo (also known as Bugat) is a banking trojan aimed to steal credentials for online banking accounts. It spreads through hijacked websites (drive-by exploits) and malicious email attachements.
The CBL detection is being made using sinkholing techniques.
This was detected by a TCP/IP connection from ***.***.***.*** on port 60679 going to IP address 220.127.116.11 (the sinkhole) on port 80.
The botnet command and control domain for this connection was "europastewmk.ru".
This is going to be a big pain in the buttocks. The reason is, we have probably 25 computers internally using that public IP address for their web access. I'm assuming that any one of these computers could be infected with Feodo (or Bugat). I'm focusing in on the email servers - of which we have 2. Both are running server 2003. One has Microsoft exchange server running on it as well. For sending our customers their messages, we chose to just use a the internal pop3 service that comes with server 2003 because we use active directory and it was easy to setup.
I had a few questions:
1) I'm installed wireshark on our email server and am using it to listen to network traffic to try to find the internal source IP when the worm calls home to the 18.104.22.168 address using the command ip.dst==22.214.171.124, and so far it hasn't been able to find anything. Am I using the right wireshark command? Does wireshark listen to all the internal network traffic, or only the network traffic relevant to the email server?
2) This trojan is apparently pretty hard to detect. I've tried a few AV programs and they've turned up nothing.
3) I'm having another issue with wireshark. After about 30 minutes of running, the program shuts down. I get an error: "Microsoft Visual C++ Runtime Library: Runtime Error! Program: This application has requested the Runtime to terminate it in an unusual way." The program that requested it to shutdown wireshark doesn't appear to be listed, so I think something funny might be going on there as well.
Here's the primary features of this malware. It doesn't make sense why our public IP address would be blacklisted for emails as it doesn't look like the malware has anything to do with email servers?
1. Bot herders can supply a list of URLs (mostly of banking sites) so that the malware can start intercepting these web pages. What this means is that whenever a user tries to visit these web sites, the malware will start submitting the web form data back to its CnC. These web forms and the data inside them will be intercepted well before its gets encapsulated into HTTPS. All the information including login credentials will be in hands of bot herders in plain text.
2. It's fully capable of Man in the Browser (MITB) attacks. This means that it can intercept original web contents coming from legitimate servers in order to append its own crafted HTML. This is normally done to ask the user for more information than was originally requested by the actual server, like your PIN numbers, Social Security number etc.
3. It can also steal HTML pages from your browsing sessions. Sound strange? Well for any successful MITB attack, the attacker needs to know about the HTML being served by the legitimate server. Just imagine an attacker wants to modify HTML pages for the Wells Fargo "Add New Payee" web page. Unless the attacker himself has an account with Wells Fargo, he may not know the contents of this page. By stealing this private page while a legitimate user is browsing to it, the attacker is in a perfect position to prepare his future MITB attack.
Thanks for helping me with this issue guys. It looks to be a huge pain to just locate this work, much less remove it....so any advice is greatly appreciate.