Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spamhaus says I am infected with bots - suggests network analysis


  • Please log in to reply
2 replies to this topic

#1 BlackArrow

BlackArrow

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 23 August 2016 - 03:42 PM

I apologize in advance, for the length of this post, but without including a lot of contextual detail, I’m not sure my questions would make much sense. But just in case, I’ll list the questions first and provide the context afterward.

 

Questions:

  1. Every few days, Spamhaus says my ip is communicating with one of several ip addresses or ports, and I want some way to either confirm that or disprove it. I am using Wireshark with a capture filter of “host 104.244.14.252 || host 38.102.150.27 || host 212.227.252.198 || tcp portrange 16464-16471”.  I think this should tell me whether my computer is making these communications, but it won’t capture anything from the other two computers on my network or anything that is being transmitted directly from my router. I could run Wireshark on the other two computers also, but is there any way to capture traffic originating from my router to one of these destinations?
  2. I have a dynamic ip that sometimes changes several times per day, and I check every hour to see if it has changed. I compare the time of my ip assignments with Spamhaus’s blacklist times, to see if a violation occurs while I had ownership of the ip. If I have ip address X at 7:00 and still have it at 8:00 and a violation occurs at 7:30, I assume it was my violation, even though my ip address could have been changed to Y at 7:05 and changed back to X at 7:55 and I wouldn’t know it. How likely is this to occur?
  3. My ip always begins with 72.168.176.xxx and the xxx varies from 1 to 130. Given that almost every ip in that range is on Spamhaus’s list as making a malicious communication within the previous 3 days, and almost all of the violations occurred at a time when the ip was not assigned to me, how likely is it that my ISP, HughesNet, is at fault?
  4. I was thinking of trying to lease a static ip from HughesNet to make sure that any problems picked up by Spamhaus are really mine, but I am told that static ip addresses are easier to attack and I obviously don’t know a lot about network security, so I’d like to avoid that situation. How big a concern is that?
  5. Does anyone have any better suggestions for tracking down whether I am really infected and determining the source of my infection? Is there another forum where I might be able to get a better response?

 

Background

I am a regular residential user with 3 computers wirelessly connected to my Netgear Nighthawk router.  On July 26, I started getting an error message that said “Too many messages sent” when I tried to send email. After much research, trial and error, and collaboration with various tech support people and message boards, I discovered we were on the Composite Blocking List (CBL) blacklist run by Spamhaus, https://www.spamhaus.org/lookup/,  because malicious communications were being sent from the ip address assigned to me, and had been intercepted by a “sinkhole” monitored by Spamhaus. As I understand the material on their website when I look up my ip, it says my computer is infected with some sort of malware (so far, it has always said Conficker, s_gozi, or ZeroAccess) and that it is causing my ip address to send out malicious communications that are being intercepted by a sinkhole. I seem to be experiencing more download traffic than usual, but other than the detections by CBL, there aren’t any solid problems that I’ve noticed on my computers, but I’m very concerned about the security of my personal and financial data, being compromised by malware.

 

 I used various anti-malware scanning tools to try to detect the problem including McAfee, Microsoft Malicious Software Removal Tool, TDSSKiller, Norton Power Eraser, and Sophos Virus Removal Tool. None of them were able to detect a threat on any of my computers. I tried wiping my hard disk and reinstalling Windows several times and still get violations detected by CBL at a time that only the “clean”computer was attached to the network. I also reset my router to factory defaults, disabled UPnP, and made sure my firmware was up-to-date. I have tried talking to various local computer consultants and have not been able to find anyone who has the expertise to analyze my network traffic for anything suspicious.

 

One of the experts on Bleeping’s Anti-malware subforum spent about two weeks helping me to scan for evidence of an infection and we couldn’t find anything. Since this type of malware is notoriously difficult to detect using scanning software and since Spamhaus recommends using network analysis tools, he suggested that I make a post on the Network forum.

 

Spamhaus’s Composite Blocking LIST (CBL)

 Spamhaus maintains the Composite Blocking List (CBL) of ip addresses it observes making malicious communications. If there’s anyone willing to take the trouble to look, here are two examples of the kinds of information available at CBL. If you go to https://www.spamhaus.org/lookup/, and look up an ip address which was assigned to me, it will appear in red. If you click on the link to CBL, and enter a captcha, it will say they detected a malicious communication from that ip at a certain time and gives details about the type of infection, and the ip address or port over which my ip was observed sending the communications. Here are two example ip’s: 72.168.176.40 and 72.168.176.110.

 

I managed to find an email address for them, but they usually don’t respond and when they do it isn’t usually very helpful. Essentially they just reiterate that my network is infected with malware/Trojans/worms etc. and that it is my responsibility to fix it.

 

They only seem to observe a malicious communication from an ip assigned to me once every few days. According to their website, these kinds of malware are usually not detected by Anti-malware or anti-virus scans and the best way to locate them is by analyzing network traffic. They suggest Wire Shark and NMap. Although both are above my skill level, I managed to set up a rudimentary capture filter in Wireshark that would hopefully log any communications I make to the ip addresses or ports identified by Spamhaus.

 

 My ISP and IP Address

I have a satellite internet connection. My ISP is HughesNet and they use dynamic ip allocation. My outside ip address always starts with 72.168.176.xxx and the last number varies depending on when I last reset my router, the weather, or on some factor completely beyond my control. Almost every ip address in the range beginning with 72.168.176.1 thru 72.168.176.130 is on CBL’s list.

 

If I delist my ip address at CBL then for the time that I am able to retain that ip address without it being changed on me, then CBL usually does not report any problems with the ip that is assigned to me for several days. But soon after my computer releases that ip, the ip that had recently been assigned to me becomes tainted, and because almost every ip in the range that begins with 72.168.176 is already on CBL’s list, then more than likely the new address that is assigned to me is already tainted before I get it.

 

It seems to me that HughesNet should know who was assigned which ip address at which time and by comparing that list with the list of CBL detections they should be able to identify that customer and place restrictions on him so that he doesn’t contaminate the entire pool of addresses in the 72.168.176.xxx range. However, I am apparently one of the culprits.

 

HughesNet insists that there is nothing wrong on their side, and all they do is carry out the instructions sent to them by my computer or router. So if the problem does have anything to do with HughesNet, it will be up to me to provide compelling proof, before I might be able to get anyone to do something about it.

 



BC AdBot (Login to Remove)

 


#2 Trikein

Trikein

  • Members
  • 1,321 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rhode Island, US
  • Local time:10:35 AM

Posted 24 August 2016 - 08:26 AM

Haven't read your entire post, but don't believe a word spamhaus says. They blacklist entire ISPs and hold their customers hostage until the ISP pays money. It's a scam. Not saying you do or not have problems (I will finish reading and edit) but take what ever they say with a grain of salt. They just want money.



#3 BlackArrow

BlackArrow
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 25 August 2016 - 08:27 AM

Thanks for the comment. I was under the impression that they were a reputable organization that monitored communication with command and control centers of bots and/or spam.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users