Zombie

[Li'l Abner]

Mike Easter <MikeE@ster.invalid> wrote in
news:8lfr5iF8f5U1@mid.individual.net:

> Li'l Abner wrote:
>
>> The spam I got from him had his own return email address, as did the
>> others who complained to him. How would they have known who to
>> complain to if it didn't come from his email address. You think his
>> neighbor's machines would send out email with *his* return address?
>
> As a general rule, the vast majority of spam sourced from the zombies
> does *not* have the From of the computer which sourced the spam.
>
> You do not determine the source of a spam from the From. You determine
> the source of a spam by carefully examining the headers to determine
> the source IP.
>
> The small minority of spam which comes from a mail account in which
> the
> From actually *does* represent th source of the spam comes from
> cracked
> webmail passwords, so the source of the spam in those cases is the
> From's webmail account.
>
> In such a case the machine in question is not the source of the
> webmail.
>
> As a general rule, except for the cracked webmail account example
> above, the source of a spam is *not* the From.

Please see my reply to VanguardLH. It may contain a lot of that "more
informatioo" you were requesting.

--
--- Everybody has a right to my opinion. ---

[Li'l Abner]

Mike Easter <MikeE@ster.invalid> wrote in news:8lfs0gFdp3U1
@mid.individual.net:

> Li'l Abner wrote:
>
>> I got a spam email from him myself.
>
> If you still have the spam, the email's headers can be examined by
> someone with sufficient skill to determine the IP address of the source.

Why didn't you say that before? :-)

I'm sorry I got frustrated at your older post. I thought I was doing the
best I could but you wanted more. If you examine the headers which I put in
my reply to VanguardLH the answer may be there in that X-Originating-IP
which I noticed myself and looked up.

Thanks for sticking with me.

--
--- Everybody has a right to my opinion. ---

[Li'l Abner]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:icu7cg021oj@news4.newsguy.com:

> From: "Li'l Abner" <blvstk@dogpatch.com>
>
>| I have a Dell Windows XP SP3 here that has been spewing SPAM email.
>| The owner has been warned by his ISP. I must be Googling for the
>| wrong thing because all I can find about it is that it happens but no
>| advice on what to do about it. There's detection tools to use on
>| networks, routers, servers, etc. but nothing about the individual
>| computer except for a couple of those "wipe it and start over"
>| replies. I've done a full scan with MSE, MBAM, SAS, and ComboFix. MSE
>| found nothing, MBAM found 18 MyWebSearch and 2 Trojan Vundo, SAS
>| found a bunch of tracking cookies, and Combofix found nothing at all.
>| For starters, how can I detect if the computer is still sending it?
>| If it is, is it a virus or some king of malware? What does it take to
>| get rid of it?
>
> Use my Multi-AV Scanning Tool's Avira, Sophos, Emsisoft and Trend
> Micro's scanners.
>
> You can tell if the PC is spewing spam, via a spam bot or some other
> mechanism, via Wireshark.
> Another simpler way is with TCPView by seeing of there are many
> connects to the Internet.

Thanks Dave. I answered VanguardLH's post in detail before I noticed your
post. I also see that Dustin has mentioned WireShark. And between what he
has said and one of Mike Easter's comments, I am beginning to believe that
maybe it isn't even originating from his machine. It is connected now and
being monitored by my ISP (who is working with me on this)

--
--- Everybody has a right to my opinion. ---

[Li'l Abner]

John Mason Jr <notvalid@cox.net.invalid> wrote in
news:icu7pg$5ir$1@news.eternal-september.org:

> On 11/28/2010 12:11 PM, Li'l Abner wrote:
>> I have a Dell Windows XP SP3 here that has been spewing SPAM email.
>> The owner has been warned by his ISP. I must be Googling for the
>> wrong thing because all I can find about it is that it happens but no
>> advice on what to do about it. There's detection tools to use on
>> networks, routers, servers, etc. but nothing about the individual
>> computer except for a couple of those "wipe it and start over"
>> replies. I've done a full scan with MSE, MBAM, SAS, and ComboFix. MSE
>> found nothing, MBAM found 18 MyWebSearch and 2 Trojan Vundo, SAS
>> found a bunch of tracking cookies, and Combofix found nothing at all.
>> For starters, how can I detect if the computer is still sending it?
>> If it is, is it a virus or some king of malware? What does it take to
>> get rid of it?
>>
>
> Are you sure the machine was used to send the spam and not just that
> the account credentials were stolen?
>
> Easiest way to determine if it is still trying to send email would be
> to put it behind a firewall that blocks traffic and watch the logs
>
> If that isn't possible you might be able to tell by using the
> following
>
> http://technet.microsoft.com/en-us/s.../bb897437.aspx
> http://www.wireshark.org/download.html
>
> If you have a real hub available you could install wireshark on a
> separate machine to monitor the traffic from the computer in question,
> this would avoid the possibility that the infected machine has some
> capability to hide what it is doing.
>
> Another option is to remove the drive from the original machine and
> slave it to a different box, might be easiest i use a usb to ide or
> sata adapter.
>
> Could also try one or more of the bootable AV CDs
>
> http://www.avira.com/en/support-down...-rescue-system
>
>
> A couple of other scanners I have had good results with
>
> http://live.sunbeltsoftware.com/
> http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
> and
> Multi_av put together by Mr Lipman
> http://www.pctipp.ch/index.cfm?pid=1411&pk=28470
>
>
>
> If the scanners find something I would upload the file(s) to
> virustotal The uploader can make this easy
> http://www.virustotal.com/advanced.html#uploader
>
> Also the Malware Hash Registry might be able to help
>
> http://hash.cymru.com/
> or the application
> http://www.team-cymru.org/Services/MHR/WinMHR/
>
>
>
>
> Of course before doing any type of cleanup, you should have a good
> backup!!!!

His 80 gig drive had 78 gigs of stuff on it. I cloned it to a 250Gb drive
before I did anything else! So I still have everything on the old drive.
I appreciate your reply. I read VanguardLH's reply and replied to it in
detail before I saw Dave's, Dustin's and your reply. I will keep all your
replies in mind for future reference if I need it.
Your replies all had one thing in common. And that's the fact that the
mail may not be coming from this machine at all.

--
--- Everybody has a right to my opinion. ---

[Li'l Abner]

Dustin <bughunter.dustin@gmail.com> wrote in
news:Xns9E3EA348F9529HHI2948AJD832@no:

> "Li'l Abner" <blvstk@dogpatch.com> wrote in
> news:Xns9E3E71C809AA4butter@wefb973cbe498:
>
>> I have a Dell Windows XP SP3 here that has been spewing SPAM email.
>> The owner has been warned by his ISP. I must be Googling for the
>> wrong thing because all I can find about it is that it happens but
>> no advice on what to do about it. There's detection tools to use on
>> networks, routers, servers, etc. but nothing about the individual
>> computer except for a couple of those "wipe it and start over"
>> replies. I've done a full scan with MSE, MBAM, SAS, and ComboFix.
>> MSE found nothing, MBAM found 18 MyWebSearch and 2 Trojan Vundo, SAS
>> found a bunch of tracking cookies, and Combofix found nothing at
>> all. For starters, how can I detect if the computer is still sending
>> it? If it is, is it a virus or some king of malware? What does it
>> take to get rid of it?
>
> Hi Abner.
>
> Sounds like you might have a windows system file patched. I'd recommend
> you check the digital signatures on them. In order to determine if the
> computer is still spamming, fire up Wireshark or SmartSniff and start
> looking at the screen. You'll see it pretty quickly if the computer is
> still being a nuisance.
>
> fdsv is an excellent command line utility for verifying digital
> signatures in files. You can find it here: http://www.kztechs.com
>
> Boot the machine from a bart disc, use fdsv in each windows folder for
> the .dlls and exe files. You can also check the system drivers. MS
> files are digitally signed. When you find one that isn't; replace him
> with one that is. You may be able to find a good copy in the dllcache
> folder. Worst case, you'll have to extract one from a windows XP cd,
> already with sp3.
>
>

Thanks Dustin. As you've probably already noticed, I replied to
VanguardLH's post above in detail before I saw yours, Dave's and John's.
You and Dave both mentioned Wireshark. Something like that was what I was
trying to Google for and never came up with. You always come up with good
stuff and I save your posts for future reference.
I read all your posts, no matter who you're replying to.
Some of the flames are even kind of neat! :-)

--
--- Everybody has a right to my opinion. ---

[Dustin]

"Li'l Abner" <blvstk@dogpatch.com> wrote in
news:Xns9E3E7C8C37A9Bbutter@wefb973cbe498:

> I got a spam email from him myself. His friends have also
> complained. His ISP threatened to blacklist him if it doesn't stop.
> Actually, he is moving home from another area and will soon be
> hooked up to OUR ISP. And I know for a fact they'll blacklist him if
> he spews email.

Hi Abner.

Are you sure the SPAM email actually came from him? and that a spambot
doesn't simply have his email along with others and is forging the from
:? The reason something might want to do this is to gain more
confidence for you to open the attachment (if one is provided). It
started because at one point, some people used to say don't open emails
from people you don't know. The idea being, people who know you are
somehow more "trustworthy.". hehee.


>>
>>> The owner has been warned by his ISP.
>>
>> So presumably/maybe there has been spam evidence provided to the
>> ISP abuse address -or- the ISP (maybe) sees network traffic profile
>> and notifies the IP user -or- something else. You are leaving out a
>> lot of important background and evidence details.
>
> This is all that he has told me. I have no doubt the computer was
> spewing email.

If you run wireshark or smartsniff (Smartsniff is easier to use; as it
seperates each process talking on the net into it's own area for quick
and easy view. Wireshark is a little more complex; but if the machine
is having alot of conversations (IE: spamming) you'll see it hitting
alot of IP addresses and sending emails to them. (when you click one of
the IP ranges in the top half of the window it'll show you the contents
of that packet. You'll be able to spot email I have no doubt.

You can find wireshark here:

http://www.wireshark.org/

and SmartSniff can be found here:

http://www.nirsoft.net/utils/smsniff.html

> The spam I got from him had his own return email address, as did the
> others who complained to him. How would they have known who to
> complain to if it didn't come from his email address. You think his
> neighbor's machines would send out email with *his* return address?

As I explained above, it's entirely possible to forge the email
addresses. A spambot could have his email address and is sending to
people he knows.


--
Hackers are generally only very weakly motivated by conventional
rewards such as social approval or money. They tend to be attracted by
challenges and excited by interesting toys, and to judge the interest
of work or other activities in terms of the challenges offered and the
toys they get to play with.

[David H. Lipman]

From: "Li'l Abner" <blvstk@dogpatch.com>

| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
| news:icu7cg021oj@news4.newsguy.com:

>> From: "Li'l Abner" <blvstk@dogpatch.com>

>>| I have a Dell Windows XP SP3 here that has been spewing SPAM email.
>>| The owner has been warned by his ISP. I must be Googling for the
>>| wrong thing because all I can find about it is that it happens but no
>>| advice on what to do about it. There's detection tools to use on
>>| networks, routers, servers, etc. but nothing about the individual
>>| computer except for a couple of those "wipe it and start over"
>>| replies. I've done a full scan with MSE, MBAM, SAS, and ComboFix. MSE
>>| found nothing, MBAM found 18 MyWebSearch and 2 Trojan Vundo, SAS
>>| found a bunch of tracking cookies, and Combofix found nothing at all.
>>| For starters, how can I detect if the computer is still sending it?
>>| If it is, is it a virus or some king of malware? What does it take to
>>| get rid of it?

>> Use my Multi-AV Scanning Tool's Avira, Sophos, Emsisoft and Trend
>> Micro's scanners.

>> You can tell if the PC is spewing spam, via a spam bot or some other
>> mechanism, via Wireshark.
>> Another simpler way is with TCPView by seeing of there are many
>> connects to the Internet.

| Thanks Dave. I answered VanguardLH's post in detail before I noticed your
| post. I also see that Dustin has mentioned WireShark. And between what he
| has said and one of Mike Easter's comments, I am beginning to believe that
| maybe it isn't even originating from his machine. It is connected now and
| being monitored by my ISP (who is working with me on this)

Dustin had mentioned patched files.

I was given an Acer notebook w/XP SP3. It had been infected and most trojans were
removed. However sysmptoms remained. The symptoms were in both FireFox and IE8. I would
search Google for a term like MBAM and I would get relatively normal results. However
when I clicked on a result it wasn't what was expected, there was a pregnant pause and I
was redirected every time.
I scanned it with; AntiVir, MBAM, SAS, Sophos and anti TDSS utilities and while there were
some trojans that were removed it still had the symptoms. Even when I had the hard disk
removed and placed it on a surrogate to be scanned.

It wasn't until I scanned with Trend Micro (from my Multi-AV) where it detected
PE_PATCHED.SMC in EXPLORER.EXE and WINLOGON.EXE with its peers in DLLCache. The files
were removed and I had to restore them from a source outside the OS. Once that was done,
no more symptoms.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[Dustin]

"Li'l Abner" <blvstk@dogpatch.com> wrote in
news:Xns9E3E7C8C37A9Bbutter@wefb973cbe498:

> I got a spam email from him myself. His friends have also
> complained. His ISP threatened to blacklist him if it doesn't stop.
> Actually, he is moving home from another area and will soon be
> hooked up to OUR ISP. And I know for a fact they'll blacklist him if
> he spews email.

Hi Abner.

Are you sure the SPAM email actually came from him? and that a spambot
doesn't simply have his email along with others and is forging the from
:? The reason something might want to do this is to gain more
confidence for you to open the attachment (if one is provided). It
started because at one point, some people used to say don't open emails
from people you don't know. The idea being, people who know you are
somehow more "trustworthy.". hehee.


>>
>>> The owner has been warned by his ISP.
>>
>> So presumably/maybe there has been spam evidence provided to the
>> ISP abuse address -or- the ISP (maybe) sees network traffic profile
>> and notifies the IP user -or- something else. You are leaving out a
>> lot of important background and evidence details.
>
> This is all that he has told me. I have no doubt the computer was
> spewing email.

If you run wireshark or smartsniff (Smartsniff is easier to use; as it
seperates each process talking on the net into it's own area for quick
and easy view. Wireshark is a little more complex; but if the machine
is having alot of conversations (IE: spamming) you'll see it hitting
alot of IP addresses and sending emails to them. (when you click one of
the IP ranges in the top half of the window it'll show you the contents
of that packet. You'll be able to spot email I have no doubt.

You can find wireshark here:

http://www.wireshark.org/

and SmartSniff can be found here:

http://www.nirsoft.net/utils/smsniff.html

> The spam I got from him had his own return email address, as did the
> others who complained to him. How would they have known who to
> complain to if it didn't come from his email address. You think his
> neighbor's machines would send out email with *his* return address?

As I explained above, it's entirely possible to forge the email
addresses. A spambot could have his email address and is sending to
people he knows.


--
Hackers are generally only very weakly motivated by conventional
rewards such as social approval or money. They tend to be attracted by
challenges and excited by interesting toys, and to judge the interest
of work or other activities in terms of the challenges offered and the
toys they get to play with.

[Dustin]

"Li'l Abner" <blvstk@dogpatch.com> wrote in
news:Xns9E3EC3DBD691butter@wefb973cbe498:

> Thanks Dustin. As you've probably already noticed, I replied to
> VanguardLH's post above in detail before I saw yours, Dave's and
> John's. You and Dave both mentioned Wireshark. Something like that
> was what I was trying to Google for and never came up with. You
> always come up with good stuff and I save your posts for future
> reference. I read all your posts, no matter who you're replying to.
> Some of the flames are even kind of neat! :-)
>

Glad to be of assistance. I'll continue to monitor this thread, and
hopefully you'll have the problem resolved soon.



--
Hackers are generally only very weakly motivated by conventional rewards
such as social approval or money. They tend to be attracted by
challenges and excited by interesting toys, and to judge the interest of
work or other activities in terms of the challenges offered and the toys
they get to play with.

[VanguardLH]

Received #1
from cgp.netins.net (cgpb3.cgp.netins.net [167.142.228.193])
by whereIgetmymail.com
for <whereIgetmymail@alongthewapsie.com>
Received #2
from <me@mywebsite.com>
by cgpb3.cgp.netins.net
Received #3
from [65.55.116.26] (HELO blu0-omc1-s15.blu0.hotmail.com)
by cgpf2.cgp.netins.net
Received #4
from BLU111-W17 ([65.55.116.8])
by blu0-omc1-s15.blu0.hotmail.com

Received headers are prepended to the header section in the order the
mail hosts are hit. That is, the topmost Received header is the latest
one (for the recipient's mail host) and the bottom-most Received header
is the first one (for the sender's mail host) - *if* none of the
Received headers are forgeries. You follow the chain backwards in
top-down order from the last to first mail host. The 'from' host in a
Received header should be the same as the 'by' host in the prior
Received header. A break in the chain indicates a bogus Received
header; however, some internal routing may not contain both the 'from'
or 'by' hosts. The value in square brackets is inserted by the
receiving mail host's to identify the IP address of the host that
connects to it (since every host knows the IP adddress of the other host
that connects to it). It is suspect if the IP address reported by the
receiving mail host doesn't match the IP address or host announced by
the sending mail host.

For Received header #1 (the last one for you receiving mail host), the
'by' host is your mail server (where you got the e-mail). For the
'from' host, a rDNS on 167.142.228.193 returns cgpb3.cgp.netins.net
which the receiving mail host also noted. This happens to match the
string sent by the sending host in the 'hello' or 'ehlo' command. Looks
good so far. The next Received header's 'by' host should match on this
header's 'from' host.

For Received header #2, it's 'by' host matches on the next Received
header's 'from' host so the chain is looking good. What I don't
understand is why its 'from' host is just "<me@mywebsite.com>". That
would be the *comment* for what that mail host claims is its name. The
parameters showing what was the IP address and rDNS of the host
connecting to it are missing. That is, the 'from' field in Received #2
is incomplete. Since the next Received header has it's 'by' host still
back at netins.net, are you using some webhosting service at netins.net
to get your e-mails? If this is not a bogus header (inserted by the
spammer) then it might be an anomalous Received header to reflect
internal routing. I'll assume this is not a bogus header and continue
parsing through the chain of Received headers.

For Received header #3, I'll have to assume its 'by' host is valid. Its
'from' header said it got the e-mail from a Hotmail account. The
receiving mail host at netins.net shows the IP address (65.55.116.26).
An rDNS on that returns the same value as the comment field in the HELO
command issued by the sender's mail host. Still looking good.

For Received header #4, it's 'by' host matches on the 'from' host in
Received header #3. So the chain appears unbroken from last to this
first Received header. The 'from' host has no rDNS lookup on the shown
IP address but then 65.55.116.x is a block assigned to Microsoft so it
is probably an internal routing anomaly again.

So it appears that the e-mail originates from Hotmail. Does the user
accused of sending spam have a Hotmail account?
If so, it appears they have an old MSN Hotmail account (the
"name@msn.com") by looking at the headers:

[X-]Return-path: <name@msn.com>
X-Original-Return-Path: name@msn.com

as well as:

Message-ID: <BLU111-W177D3FBDA7AA096FE3C4E9DF5F0@phx.gbl>

since phx.gbl is one of Microsoft's right-tokens used in their MID
values.

Considering this user is using an ISP in Czech Republic (and is himself
probably located there), have they yet changed their login credentials
for their Hotmail account? Is your user actually living in
Czechoslovakia? That's the IP address of whomever used that Hotmail
account to send the spam e-mail as shown in the X-header that Hotmail
adds to whomever logs into a Hotmail account and sends e-mail from
there.

X-Originating-IP: [89.102.206.74]

An rDNS on 89.102.206.74 returns ip-89-102-206-74.net.upcbroadband.cz.
The .cz TLD (top-level domain) is for the Czech Republic. When I do a
IPwhois on that IP address, it is assigned to an ISP in Czechoslovakia.
So just WHERE is your client located? Are they really using a Czech ISP
for Internet access (and then connecting to Hotmail from there)?

Oh, the spam did originate from a Hotmail account (which might be what
your client uses) but does it look like the Czech user is your user? If
not, CHANGE THE PASSWORD on the Hotmail account. Do it now!