Best methods for tracing a mass-mailing worm infected workstation on a network?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


I've had instances in the past where a workstation has been infected
with a mass-mailer worm and whilst I resolved the issue in the end I
encountered the following circumstances in relation to the infected
workstation:-

- no up-to-date anti virus package found any mass mailer worms. I
tried Panda, McAfee, Norton.
- no port 25 traffic (other than the mail server) was going through
the router (I checked all the logs/tables)

In the end, via a process of elimination and used malware bytes anti
malware to find, and remove the virus.

I'm interested in finding out about any other proven methods for
tracking down mass-mailer infected workstations.  It seems it can be
like finding a needle in a haystack.


What methods would you suggest?

Re: Best methods for tracing a mass-mailing worm infected workstation on a network?




| I've had instances in the past where a workstation has been infected
| with a mass-mailer worm and whilst I resolved the issue in the end I
| encountered the following circumstances in relation to the infected
| workstation:-

| - no up-to-date anti virus package found any mass mailer worms. I
| tried Panda, McAfee, Norton.
| - no port 25 traffic (other than the mail server) was going through
| the router (I checked all the logs/tables)

| In the end, via a process of elimination and used malware bytes anti
| malware to find, and remove the virus.

| I'm interested in finding out about any other proven methods for
| tracking down mass-mailer infected workstations.  It seems it can be
| like finding a needle in a haystack.


| What methods would you suggest?

Packet tracking for oddball address patters.

Which "mass-mailer worm" or is this really a spambot infection ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Best methods for tracing a mass-mailing worm infected workstation on a network?



49e5-ad0c-e23628476a35@g23g2000yqh.googlegroups.com:

Quoted text here. Click to load it

It likely wasn't a virus. :) As our software doesn't really deal with
those. You may wish to consider the commercial/pro version as it offers
realtime protection against nasties known to it, as well as IP blocking
of known malicious websites. It's a onetime registration, not a yearly
deal unless your a company...
 
Quoted text here. Click to load it

Watching router traffic can often tell you which computer might be
responsible for consuming a large portion of the bandwidth for spamming.
 
Quoted text here. Click to load it

Wireshark.



--
Dustin Cook [Malware Researcher]
MalwareBytes - http://www.malwarebytes.org
BugHunter - http://bughunter.it-mate.co.uk

Re: Best methods for tracing a mass-mailing worm infected workstation on a network?



On Thu, 12 Nov 2009 07:08:25 -0800 (PST), BadBoy House

Quoted text here. Click to load it


Wireshark - monitor the network for a few hours and then review the
report. You can filter by port, ip (destination or sending), protocol
etc. No network admin should be without.

Did I mention it is freeware?

Re: Best methods for tracing a mass-mailing worm infected workstation on a network?



Quoted text here. Click to load it

Simplest way is to use a computer running Wireshark and a network HUB (*not*
a switch).

Unplug the connection between the main internet source and put the HUB
in-between them.  A hub will let you listen to the other traffic going
through it.  A switch won't.  This will let you listen transparently to all
traffic running through the hub.  Then filter for mail traffic from anything
other than your legitimate internal mail server host(s).


Re: Best methods for tracing a mass-mailing worm infected workstation on a network?




Quoted text here. Click to load it

| Simplest way is to use a computer running Wireshark and a network HUB (*not*
| a switch).

| Unplug the connection between the main internet source and put the HUB
| in-between them.  A hub will let you listen to the other traffic going
| through it.  A switch won't.  This will let you listen transparently to all
| traffic running through the hub.  Then filter for mail traffic from anything
| other than your legitimate internal mail server host(s).


Assuming that the NIC PC connected to the hub is promiscous, then Wireshark on
that PC
will "...listen to the other traffic going through it"

The statement, "A switch won't" is misleading.  A managed switch supporting RMON
probes
will.
An unmanged Ethernet Switch won't because, by its nature, each port is a traffic
cop only
allowing traffic be passed to each switch port based upon the MAC address of the
traffic.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Best methods for tracing a mass-mailing worm infected workstation on a network?



Quoted text here. Click to load it

If it's connected to a hub then it will hear all traffic.

Quoted text here. Click to load it

Semantics.

A great many sites don't have managed switches.  It's reasonable to assume
this.  Thus the suggestion of using a hub.  It would allow inserting the
listening machine into the network without any changes to the network.  No
router access or configuration changes required.

This, tangentially, is why it's important to make sure your network hardware
is physically secure.  You don't want just anyone with a hub and a PC
connecting in there and sniffing the traffic.  But that's a side issue.

And making changes to a managed network switch or router isn't necessarily a
trivial process.  Make the wrong config changes and you risk crashing the
network.  Done right, it works well.  Done wrong and people get fired.  It's
hard to explain to manglement why your attempts to fix something they didn't
know was 'broken' lead to a disaster.  Transparently sniffing the traffic
doesn't disrupt things in the same way.

Quoted text here. Click to load it

Correct.

As an additional side note, be careful about sniffing network traffic.
You're going to possibly collect or see information that people might not
otherwise like to know you've seen.  This is an area where logic doesn't
matter, it's all about perception.  The fact that you've seen what people
might consider "personal", even while they're at work, might have disastrous
side-effects on your continued employment.  Be extra careful not to
accidentally make enemies...   Focus on a specific problem, document the
problem and your proposed solution and present it to management.  Get their
buy-in on the full scope of your solution AND STICK WITH THE PLAN.   Even
this is no guarantee.  But at least you'll have that plan as CYA material
when things go pear-shaped.

-Bill Kearney


Re: Best methods for tracing a mass-mailing worm infected workstation on a network?




Quoted text here. Click to load it

| If it's connected to a hub then it will hear all traffic.


No.  Not true.  If the NIC of the node using WireShark or other protocol
capturing decoder
is NOT able to be in a permiscuous mode then it will not see all the traffic on
the hub,
only those packets intended for that node on the hub.


Quoted text here. Click to load it

| Semantics.

This is NOT semantics.  It is an important fact that can not be casually left
out and
needs to be clarified.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Best methods for tracing a mass-mailing worm infected workstation on a network?



Quoted text here. Click to load it

If the adapter is one supported by Wireshark (relying upon WinPcap when
running in Windows) then it's a non-issue.  A great many are.  I'm sure you
can find edge cases that aren't.  Feel free to burn your cycles doing so.

It's perhaps reasonable to point out that on the outside chance someone's
dealing with a network interface that won't work then it's probably a very
good idea to just purchase one that can.  Start with what you've got and
confirm that it does the job.

Quoted text here. Click to load it

Consider your nit picked.

And if you're going to be that way at very least get the spelling correct.
http://en.wikipedia.org/wiki/Promiscuous_mode

Can you move on to actually being helpful now?


Re: Best methods for tracing a mass-mailing worm infected workstation on a network?

On Sun, 15 Nov 2009 12:10:40 -0500, "Bill Kearney"

Quoted text here. Click to load it

Ahh, yes, the memories. <g> A year or two ago, a vendor was brought
into a wireless carrier's data center to help resolve some issues with
that vendor's equipment. Part of the troubleshooting involved running
automated tests against a list of web sites, with the list being
created from sites that had been recently visited. As it turned out,
one of the target sites was a gay pr0n site, but the bigger question
at the time was whether it was actually gay kiddie pr0n. I've never
seen such a case of 'hot potato', where no one was willing to do
anything other than pass the issue up the management chain. Quite
humorous when viewed from a distance, but probably not nearly as
humorous for those who were directly involved. I don't _think_ anyone
lost their job over it, but I know there were multiple frantic and
heated phone calls at the executive level as a result.


Re: Best methods for tracing a mass-mailing worm infected workstation on a network?


Quoted text here. Click to load it

That's a great example.

I made it clear at one site that if illegal material was discovered I would
not be held responsible for it.  After I'd left that site, and they'd let
the filtering system go lax, they made the papers when one of their senior
employees was arrested for soliciting a minor online.  It was with some
delight when I made the "I told you so" phone call.  And even better when I
spoke with the police about their indifference about it some months before
the problem.


Site Timeline