Spyware/Trojan help

[Mize]

So I've got this problem. I've got it hemmed in for now, but I want to fix it. My main firewall was zonked by a thunderstorm and, while I was waiting for its replacement, I had to use a cheaper one. After the unit was replaced I notice several machines constantly contacting this IP address: 208.99.195.69 on port 135 (messenger/RPC). That IP has no DNS entries that I can find.

After a while the machines that contacted that started sending packets all over the place even when nobody was on the computer - ouch!

Well I've got the stuff hemmed in by adding tons of rules to shut down internet access for the "infected" computers, but I can't find out what the source is. Spybot doesn't find any spyware and Sophos doesn't find any viruses or trojans.

Assuming this is an unrecognized malware, how do I track it down and kill it? I can sniff packets if I open my ports again, but that's not something I'm keen on.

Is there a good forum for these types of puzzles?

 

[Guden Oden]

Interesting... Very interesting. Not that I'm any good at this sort of stuff, but interesting nevertheless

I'd suggest you get some form of anti-rootkit program, I believe there are such things out there. And check the task list of running programs/services, though you've prolly done that already.

 

[Bouncing Zabaglione Bros.]

Assuming this is an unrecognized malware, how do I track it down and kill it? I can sniff packets if I open my ports again, but that's not something I'm keen on.

Here's what I would do:

1. Download the latest Kaspersky beta and licence from their FTP site and install it onto a clean machine with a CD burner.
2. Install PE Builder and also the Adaware and Spybot S&D modules for it onto the same machine.
3. Update all the databases for the above products.
4. From inside Kaspersky, use the option to build a PE Builder rescue disk. Ideally you will use a WinXP disc slipstreamed with XP2.
5. Now you have a standalone bootable CD which will allow you to scan and clean (if possible) the infected machines without having their infected OSes up and running. This allow you to find and kill any rootkit or hidden viruses as you are not trying to run off the same boot disc.

You may end up having to wipe and reinstall the problem machines if their OSes have been too badly damaged, but you will at least be able to identify the problem and if it's fixable, Kaspersky should be able to fix it.

BTW, that IP is in the address space of an ISP called Swift Communications, so I'd guess this is the next step in the botnet controller network. Any good hacker is just probabably using a number of compromised machines as controllers removed from his direct machines, but you can try closing it down by reporting to their abuse address at abuse@swiftco.net

 

[_xxx_]

Also, look at www.securityfocus.com. If it's known, you'll likely find the explanation there.

 

[Mize]

Here's what I would do:

1. Download the latest Kaspersky beta and licence from their FTP site and install it onto a clean machine with a CD burner.
2. Install PE Builder and also the Adaware and Spybot S&D modules for it onto the same machine.
3. Update all the databases for the above products.
4. From inside Kaspersky, use the option to build a PE Builder rescue disk. Ideally you will use a WinXP disc slipstreamed with XP2.
5. Now you have a standalone bootable CD which will allow you to scan and clean (if possible) the infected machines without having their infected OSes up and running. This allow you to find and kill any rootkit or hidden viruses as you are not trying to run off the same boot disc.

Thanks. Not to be too dense, but I've not used Kapersky before - what from that dir do I download? This is going to be so fun

 

[Bouncing Zabaglione Bros.]

Thanks. Not to be too dense, but I've not used Kapersky before - what from that dir do I download? This is going to be so fun

Sorry, I would have linked directly to the files, but Kaspersky stop people doing that. You have to go to the top directory and navigate from there.

Actually, there's probably an easier way to do this if this is going to be a one-off sort of thing.

1. Instead of using the beta, simply use the trial version from here. Install it on a clean machine with a CD Burner

2. Then download PE builder as per my last post and forget about Adware and Spybot modules for the time being. Install it on the machine above.

3. Find a slipstreamed XP Service Pack 2 disk.

4. From the Kaspersky application, select "service -> rescue disk -> start wizard". Fill in the paths as necessary and make yourself a rescue disk.

That should work, but if it doesn't let me know and if necessary I'll walk you through it again or using the beta. It sounds a lot more complicated to describe than it is to do. Once you have a rescue disk, you can just boot off the CD and scan your drives.

 

[Frank]

The simplest way to crack these puzzles is Hijackthis. Download the prog, start it up, dump the logfile in the editbox on the page, and have it analysed immediately. And if you still have some doubts, they'll help you on the forum.

 

[Mize]

Thanks guys. No idea what the culprit(s) were but the offending machines appear to have stopped pounding the firewall after all the scanning/cleaning/fixing.

Remind me not to use a $200 firewall ever again
Now that Barracuda Spyware Firewall is looking better than ever. They have an IM firewall too, but I think I'll just close those ports!