Tuesday, 27 April 2010

Blacklisted, Router Spam, Rootkits, Worms

A client has been infected by something nasty... email is not getting through to clients due to blacklisting...

1)  www.mxtoolbox.com  - Lookup the mail server MX record, check for blacklisting.  Find out the date that it happened and any reasons you can find.
2)  Find/fix the infected PC...  As I work remote, I set up a batch file that users can run... 
tasklist /svc > s:\%computername%-tasks.txt
netstat -nabvo > s:\%computername%-netstat.txt
;pause    [ remove commenting semi-colon if you want to]
This assumes there is an S: drive - replace with a network drive letter that you have access to - and save the file as something like 's:\commands.bat'.  Ask someone to run it on all computers.

Check each -netstat.txt file for numerous connections being made where there is a :25 after the Foreign Address (search the text file for ':25').

I've found one PC making such connections...
TCP       SYN_SENT        700
  -- unknown component(s) --
This suggests a dodgy mswsock.dll or software running that is spamming out.  I have checked the other PCs and none of them are infected.  So now to Remote Connect (RDP) into the PC and have a look.

No processes running ... rootkit? .. Ran MalwareBytes' Anti-Malware and found Adware.Starware ... Security Center warning if no Firewall or Antivirus was disabled... AVG looks like it got a random letter named dll file...  and I found Run settings ('rundll32 /dll, startup' in both Local Machine and Local User / Software/Microsoft/Windows/CurrentVersion/Run ... AVG reports the Hiloti... does that send out on smtp?  there's also another file reported as Trojan Horse Generic 17.BEDK.   Adobe monxga32.exe... not Adobe but in a folder called 'Startup' in the Adobe menu group in the Start Menu.

ThePhone.coop has still not responded with a Smart Host for relaying emails... which means their clients will not get their emails... Surely the service assistant didn't need to ask an engineer to call me back just to tell me the name of their Smart Host?

Anti-Malware found 109 issues.. but nothing substantial...  now running AVG's Rootkit Search...  That has not fixed it...  Computer rebooted and still infected.

I have connected to the router and added a new rule to block all SMTP Port 25 traffic from all LAN addresses except the server to any address on the internet.  That will stop the blacklisting organisations from blocking us... and will stop anyone else getting dodgy emails from us.

Now I can remote desktop back into the computer and have another good go at it ...

Strangely 'tasklist /svc' reveals that it is Process ID 708 that is sending smtp packets out.  ID 708 is Services.exe.  Tasklist reveals that Services.exe is a host for Eventlog and PlugPlay.

Sysinternals' Process Explorer with a filter of 'Path contains :smtp' also reveals ID 708.   But it also shows that the operation is TCP Disconnect and TCP Reconnect - which means the router block is working.   There's one inetinfo.exe in there sending smtp to localhost ... which throws the possibility of IISADMIN, SMTPSVC and W3SVC involvement.

Sysinternals' RootkitRevealer (RKR) has found quite a few results...
HKU\1-5-21-nnn..nnnn\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\... ...HRZR_EHACVQY:uggc://vzntrf.tbbtyr.pbz/ ... etc
Further investigation discounts this as suspicious...
1) {75048700-EF1F-11D0-9888-006097DEACF9} is the CLSID for ActiveDesktop - so all these entries are Operating System entries.
2) HRZR_EHACVQY:uggc://vzntrf.tbbtyr.pbz/ is ROT13 encoding for UEME_RUNPIDL:http://images.google.com/

Also see Didier Stevens UserAssist Tool for an easier decryption of these UserAssist entries.

Null containing registry entries found by RKR such as in the hklm\security hive SAC* SAI* and SCM* have the same date (maybe) as the computer was installed... something to do with password hiding perhaps...

HKLM\Software .. Microsoft SQL Server .. apparently this is logged by RKR because SQL often changes quickly whilst the registry is being read.. so comparing it can often show innocent discrepancies.
These have the same names as the driver file (.sys) I found in the system32\drivers folder...

AVG has popped up .. The Trojans, Hiloti.AL Hiloti.AM have infected two files in System Volume Information\_restore folder...

I have given in and taken it back to a previous system restore point .. early last week.  If it gets re-infected then I'll have to ask someone to go and run Recovery Console and delete the offending system driver file and registry entry without Windows running.  

1 comment:

  1. Thanks for recommending our Blacklist Tool, we are always interested to see what other tools you are using in conjunction with ours. Let us know if you think our website is missing any tools and we will look at adding them.

    Thank you,