Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP! Our Public IP Address blacklisted due to Feodo Trojan + Wireshark Help


  • This topic is locked This topic is locked
2 replies to this topic

#1 jdlev

jdlev

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 22 March 2014 - 09:54 AM

Hi Guys,

 

I think the Russians are invading.  I need some help asap on an issue we are having with the composite blocking list - a public blacklisting site many email servers use (I guess) to check for viruses/spam/etc.

 

Background:  We are a telephone answering service that sends out around 3000 legitimate emails a day in messages to our customers using an internal pop3 service on our windows server 2003 machine.  A few days ago, some of our customers complained about not getting their emails, but some were.  It turns out in an error message, I was told to go to spamhaus.org, and check my IP.  Upon checking with spamhaus.org, it turns out our IP had been blacklisted by the composite blocking list.  Upon punching in our public IP address to cbl.abuseat.org, I got the following message:

 

IP Address ***.***.***.*** is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2014-03-22 13:00 GMT (+/- 30 minutes), approximately 1 hours ago.

It has been relisted following a previous removal at 2014-03-21 20:02 GMT (18 hours, 17 minutes ago)

This IP address is infected with, or is NATting for a machine infected with Feodo.

Feodo (also known as Bugat) is a banking trojan aimed to steal credentials for online banking accounts. It spreads through hijacked websites (drive-by exploits) and malicious email attachements.

 

The CBL detection is being made using sinkholing techniques.

This was detected by a TCP/IP connection from ***.***.***.*** on port 60679 going to IP address 87.255.51.229 (the sinkhole) on port 80.

The botnet command and control domain for this connection was "europastewmk.ru".

This is going to be a big pain in the buttocks.  The reason is, we have probably 25 computers internally using that public IP address for their web access.  I'm assuming that any one of these computers could be infected with Feodo (or Bugat).  I'm focusing in on the email servers - because it states that the virus is spread through malicious email attachments.  Both are running server 2003.  One has Microsoft exchange server running on it as well.  For sending our customers their messages, we chose to just use a the internal pop3 service that comes with server 2003 because we use active directory and it was easy to setup.  
 

 

I had a few questions:

 

1)  I'm installed wireshark on our email server and am using it to listen to network traffic to try to find the internal source IP when the worm calls home to the 87.255.51.229 address using the command ip.dst==87.255.51.229, and so far it hasn't been able to find anything.  Am I using the right wireshark command?  Does wireshark listen to all the internal network traffic, or only the network traffic relevant to the email server?

 

2) This trojan is apparently pretty hard to detect.  I've tried a few AV programs and they've turned up nothing.
 

3) I'm having another issue with wireshark.  After about 30 minutes of running, the program shuts down.  I get an error:  "Microsoft Visual C++ Runtime Library:  Runtime Error!  Program:  This application has requested the Runtime to terminate it in an unusual way."  The program that requested it to shutdown wireshark doesn't appear to be listed, so I think something funny might be going on there as well.

 

Additional Information:

 

Here's the primary features of this malware.  It doesn't make sense why our public IP address would be blacklisted for emails as it doesn't look like the malware has anything to do with email servers?
 

1. Bot herders can supply a list of URLs (mostly of banking sites) so that the malware can start intercepting these web pages.  What this means is that whenever a user tries to visit these web sites, the malware will start submitting the web form data back to its CnC.  These web forms and the data inside them will be intercepted well before its gets encapsulated into HTTPS.  All the information including login credentials will be in hands of bot herders in plain text.

2. It's fully capable of Man in the Browser (MITB) attacks. This means that it can intercept original web contents coming from legitimate servers in order to append its own crafted HTML.  This is normally done to ask the user for more information than was originally requested by the actual server, like your PIN numbers, Social Security number etc.

3. It can also steal HTML pages from your browsing sessions.  Sound strange?  Well for any successful MITB attack, the attacker needs to know about the HTML being served by the legitimate server.  Just imagine an attacker wants to modify HTML pages for the Wells Fargo "Add New Payee" web page.  Unless the attacker himself has an account with Wells Fargo, he may not know the contents of this page.  By stealing this private page while a legitimate user is browsing to it, the attacker is in a perfect position to prepare his future MITB attack.

Thanks for helping me with this issue guys.  It looks to be a huge pain to just locate this work, much less remove it....so any advice is greatly appreciate.   :)


Edited by jdlev, 22 March 2014 - 10:20 AM.


BC AdBot (Login to Remove)

 


m

#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,558 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:02 PM

Posted 24 March 2014 - 06:03 PM

Topic handled here http://www.bleepingcomputer.com/forums/t/528331/help-our-public-ip-address-blacklisted-due-to-feodo-trojan-wireshark-help/
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,558 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:02 PM

Posted 24 March 2014 - 06:03 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users