New? behavior og rbl's

Jonas jonas at
Thu Sep 22 15:40:26 IST 2011

Hmm ok maybe I was a sleep the past year or so but when did the below become normal policy???

Basically the conclusion is if you have a pc infected with a virus that's not email related and or at least is unable to send out spam because of firewall blocks or similar, you are still blocked in a spamfilter for having the same WAN ip?

Not only have I not seen this before but it seems like a huge jump in what a normal SMTP RBL list is supposed to do...

Anybody else have any thought on the matter?

Med venlig hilsen / Best regards
Jonas Akrouh Larsen
TechBiz ApS
Laplandsgade 4, 2. sal
2300 København S
Office: 7020 0979
Direct: 3336 9974
Mobile: 5120 1096
Fax:    7020 0978

IP Address X.X.X.X is not listed in the CBL.

It was previously listed, but was removed at 2011-09-22 13:24 GMT (21 minutes ago)

At the time of removal, this was the explanation for this listing:
This IP is infected with, or is NATting for a machine infected with Gbot. There are many different versions of Gbot, and it's known under several different names, see: Win32/Cycbot (Microsoft) or perhaps more specifically: Troj/Gbot-C (Sophos). 

The rest of the Anti-virus industry refers to it as Cycbot or Gbot. 

This was detected by observing this IP attempting to make contact to a Gbot Command and Control server, with contents unique to Gbot C&C command protocols. 

Amongst other things, Gbot/Cycbot sets up a web proxy on the infected machine, such that the user's normal browser is subverted to go through this proxy. The proxy then can sniff all traffic from the user (including bank account information and so on), and forward it off elsewhere. It also downloads a "fake-AV" (scareware) component. 

Many of these infections drop the following three malicious files: 

C:\Program Files\Internet Explorer\stor.cfg
C:\Program Files\Windows NT\dwm.exe
C:\Program Files\Windows NT\shell.exe

Other versions drop files that can be found by searching for files with a ".exe" suffix in the user's Application Data directory. For example, "C:\\Documents and Settings\\[username]\\Application Data\\dwm.exe". 

To find these infections, search for TCP/IP connections going to IP address, usually destination port 80 or 443, but you should look for all ports. This detection corresponds to a connection at 2011-09-21 06:50:27 (GMT - this timestamp is believed accurate to within one second). 

These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer. 

You will need to find and eradicate the infection before delisting the IP address. 

We strongly recommend that you DO NOT simply firewall off connections to the sinkhole IP addresses given above. Those IP addresses are of sinkholes operated by malware researchers. In other words, it's a "sensor" (only) run by "the good guys". The bot "thinks" its a command and control server run by the spambot operators but it isn't. It DOES NOT actually download anything, and is not a threat. If you firewall it, your IPs will remain infected, and they will still be able to download from real command & control servers run by the bot operators. 

If you do choose to firewall these IPs, PLEASE instrument your firewall to tell you which internal machine is connecting to them so that you can identify the infected machine yourself and fix it. 

We are enhancing the instructions on how to find these infections, and more information will be given here as it becomes available. 

Virtually all detections made by the CBL are of infections that do NOT leave any "tracks" for you to find in your mail server logs. This is even more important for the viruses described here - these detections are made on network-level detections of malicious behaviour and may NOT involve malicious email being sent. 

This means: if you have port 25 blocking enabled, do not take this as indication that your port 25 blocking isn't working. 

The links above may help you find this infection. You can also consult Advanced Techniques for other options and alternatives. NOTE: the Advanced Techniques link focuses on finding port 25(SMTP) traffic. With "sinkhole malware" detections such as this listing, we aren't detecting port 25 traffic, we're detecting traffic on other ports. Therefore, when reading Advanced Techniques, you will need to consider all ports, not just SMTP. 

Pay very close attention: Most of these trojans have extremely poor detection rates in current Anti-Virus software. For example, Ponmocup is only detected by 3 out of 49 AV tools queried at Virus Total. 

Thus: having your anti-virus software doesn't find anything doesn't prove that you're not infected. 

While we regret having to say this, downloaders will generally download many different malicious payloads. Even if an Anti-Virus product finds and removes the direct threat, they will not have detected or removed the other malicious payloads. For that reason, we recommend recloning the machine - meaning: reformatting the disks on the infected machine, and re-installing all software from known-good sources. 

More information about the MailScanner mailing list