Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


HELP! Our Public IP Address blacklisted due to Feodo Trojan + Wireshark Help

  • This topic is locked This topic is locked
3 replies to this topic

#1 jdlev


  • Members
  • 11 posts
  • Local time:06:54 AM

Posted 22 March 2014 - 09:54 AM

Hi Guys,


I think the Russians are invading.  I need some help asap on an issue we are having with the composite blocking list - a public blacklisting site many email servers use (I guess) to check for viruses/spam/etc.


Background:  We are a telephone answering service that sends out around 3000 legitimate emails a day in messages to our customers using an internal pop3 service on our windows server 2003 machine.  A few days ago, some of our customers complained about not getting their emails, but some were.  It turns out in an error message, I was told to go to spamhaus.org, and check my IP.  Upon checking with spamhaus.org, it turns out our IP had been blacklisted by the composite blocking list.  Upon punching in our public IP address to cbl.abuseat.org, I got the following message:


IP Address ***.***.***.*** is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2014-03-22 13:00 GMT (+/- 30 minutes), approximately 1 hours ago.

It has been relisted following a previous removal at 2014-03-21 20:02 GMT (18 hours, 17 minutes ago)

This IP address is infected with, or is NATting for a machine infected with Feodo.

Feodo (also known as Bugat) is a banking trojan aimed to steal credentials for online banking accounts. It spreads through hijacked websites (drive-by exploits) and malicious email attachements.


The CBL detection is being made using sinkholing techniques.

This was detected by a TCP/IP connection from ***.***.***.*** on port 60679 going to IP address (the sinkhole) on port 80.

The botnet command and control domain for this connection was "europastewmk.ru".

This is going to be a big pain in the buttocks.  The reason is, we have probably 25 computers internally using that public IP address for their web access.  I'm assuming that any one of these computers could be infected with Feodo (or Bugat).  I'm focusing in on the email servers - of which we have 2.  Both are running server 2003.  One has Microsoft exchange server running on it as well.  For sending our customers their messages, we chose to just use a the internal pop3 service that comes with server 2003 because we use active directory and it was easy to setup.  


I had a few questions:


1)  I'm installed wireshark on our email server and am using it to listen to network traffic to try to find the internal source IP when the worm calls home to the address using the command ip.dst==, and so far it hasn't been able to find anything.  Am I using the right wireshark command?  Does wireshark listen to all the internal network traffic, or only the network traffic relevant to the email server?


2) This trojan is apparently pretty hard to detect.  I've tried a few AV programs and they've turned up nothing.

3) I'm having another issue with wireshark.  After about 30 minutes of running, the program shuts down.  I get an error:  "Microsoft Visual C++ Runtime Library:  Runtime Error!  Program:  This application has requested the Runtime to terminate it in an unusual way."  The program that requested it to shutdown wireshark doesn't appear to be listed, so I think something funny might be going on there as well.


Additional Information:


Here's the primary features of this malware.  It doesn't make sense why our public IP address would be blacklisted for emails as it doesn't look like the malware has anything to do with email servers?

1. Bot herders can supply a list of URLs (mostly of banking sites) so that the malware can start intercepting these web pages.  What this means is that whenever a user tries to visit these web sites, the malware will start submitting the web form data back to its CnC.  These web forms and the data inside them will be intercepted well before its gets encapsulated into HTTPS.  All the information including login credentials will be in hands of bot herders in plain text.

2. It's fully capable of Man in the Browser (MITB) attacks. This means that it can intercept original web contents coming from legitimate servers in order to append its own crafted HTML.  This is normally done to ask the user for more information than was originally requested by the actual server, like your PIN numbers, Social Security number etc.

3. It can also steal HTML pages from your browsing sessions.  Sound strange?  Well for any successful MITB attack, the attacker needs to know about the HTML being served by the legitimate server.  Just imagine an attacker wants to modify HTML pages for the Wells Fargo "Add New Payee" web page.  Unless the attacker himself has an account with Wells Fargo, he may not know the contents of this page.  By stealing this private page while a legitimate user is browsing to it, the attacker is in a perfect position to prepare his future MITB attack.

Thanks for helping me with this issue guys.  It looks to be a huge pain to just locate this work, much less remove it....so any advice is greatly appreciate.  :)


BC AdBot (Login to Remove)


#2 jdlev

  • Topic Starter

  • Members
  • 11 posts
  • Local time:06:54 AM

Posted 25 March 2014 - 10:47 AM

So I've tried a few things and nothing has worked.


A) Monitored port 25 traffic on the webserver using wireshark, and changed the port the exchange server was using to 2525, and found that there were bogus emails going out because they were bouncing back to the administrator accounts email address saying the email couldn't be delivered.  Also found these connections were coming from bulgaria of all places.


B) We complete shut down our exchange server and iis 6 web server figuring it was a security leak.  We then delisted ourselves from the CBL list.  It didn't work, though it does appear it took us longer to get reblacklisted (about 20 hours compared to it normally only taking about 4 hours), which indicates that we either have multiple internal infections or this server was not infected.  It could just be spammers who got ahold of the server's relaying information.

C) When we get reblacklisted on the CBL, the infection is detected using the sinkhole technique.  It always says the same thing on cbl.abuseat.org.  The virus is trying to contact and the address europastewmk.ru.  


D) Checked connections to the our two primary servers using netstat -nap, and didn't see anything.  I think the only thing that proves is that we didn't have a hacker using a RAT (I think)


Here's my biggest question:


We've got a smart switch that allows us to sniff network traffic. The switch has three settings. Sniffer mode, Sniffer port, and Source port. I'm going to have the sniffer mode set to Rx & Tx (to monitor both inbound and outbound traffic), the sniffer port I'm going to set to the port that is connected to the computer running wireshark, and the source port, I'm going to connect the router to. My understanding then is that I can then setup wireshark to listen to all network traffic going over the router. Is that correct?


Thanks for any help!

#3 HelpBot


    Bleepin' Binary Bot

  • Bots
  • 12,760 posts
  • Gender:Male
  • Local time:07:54 AM

Posted 27 March 2014 - 09:55 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:


step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/528331 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.


step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.


We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 HelpBot


    Bleepin' Binary Bot

  • Bots
  • 12,760 posts
  • Gender:Male
  • Local time:07:54 AM

Posted 01 April 2014 - 10:00 AM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users