Rustock spambot?

arwes

Anybody here ever have to hunt down a spambot? I came in this morning to find that we're blacklisted all over the place, and The CBL says we've got the rustock spambot. Apparently it was detected about 6 hours ago. Shouldn't the spambot be constantly flooding port 25? I've got Wireshark running and the only SMTP traffic I see is normal stuff from our Exchange server. It's looking like a fluke to me, so I guess I'm going to request delisting and just see if something happens over the next few days.

tiersten

If it is actively spamming then yes, you should see lots of connections to port 25. It may be on a computer that isn't currently on however or the spam network hasn't directed it to actually send anything. Rustock generally incorporate rootkit methods of hiding from users and AV software so do a full scan of everything with a current AV package.

arwes

I guess I'll have Wireshark log the stuff overnight and see what I get in the morning. We've got a MikroTik router (never heard of them before coming to work here), and I'm going to call our networking guy to get him to double check to make sure only our Exchange server is allowed to send SMTP.

I looked at the spam that was caught in someone's spamtrap and it's ads for the little blue pills lol. Hopefully I can track down the machine that's trying to do this. With all the lost productivity today, this will probably get the board to go ahead with our content filtering we've requested for a couple years now. Nah, I doubt it.

arwes

Spam bot found and neutralized! For some stupid reason, the web proxy was configured to shutdown at 8:00 PM and restart at 6:00 AM. I have no clue why that was set up (it was configured before I started working here). We set up a rule to catch any port 25 traffic that isn't the Exchange server and stopped the web proxy service. As soon as we did that, this one laptop started going nuts with it.

I've got it shut down right now (and that proxy shutdown rule is gone as well), but it looks like he had Snifula.b and a dropper as well (had to rename HijackThis so it would run). I'll be hitting that Monday morning with MalwareBytes and Combofix.

Chivalry1

Make sure that your firewall is locked down to only allow smtp traffic from your Exchange server(s).

arwes

Chivalry1 wrote: »

Make sure that your firewall is locked down to only allow smtp traffic from your Exchange server(s).

It is now. Well, actually it's always been set up to only allow smtp traffic from the Exchange server but that stupid rule that nobody's taking credit for (lol) negated that when it would completely disable the proxy from 8:00 PM to 6:00 AM.

tiersten

Ahh. The proxy gets disabled and anything can access the internet without restrictions? Thats a pretty huge gap in security. No wonder nobody is owning up to it

It sounds suspiciously like somebody somewhere decided that out of hours internet access shouldn't be restricted so added in that rule...

arwes

Yeah I was really pissed about it myself (especially after spending a day & a half trying to find the problem machine), but in the process of trying to hunt down the spambot I found some really nifty software based on Snort.

http://www.bothunter.net/