Scareware and Spamhaus - John C. Kirk
Aug. 11th, 2011
06:04 pm - Scareware and Spamhaus
Scareware is normally just a minor nuisance, assuming that you know how to get rid of it without paying any money. However, I've now come across a new wrinkle: it can get you blacklisted, so that you can't send email.
I recently saw a desktop PC with a fake security warning, so I got rid of that. Process Explorer was useful here, since it gives a lot more information than Task Manager, and it identified some extra rogue processes which didn't have a visible front-end. I rebooted the machine, the user logged back in, and all seemed well.
Later on, people found that their outgoing email was bouncing back. For instance, here's an excerpt of a bounce message from Hotmail (with some details redacted):
snt0-mc4-f25.Snt0.hotmail.com #550 OU-001 (SNT0-MC4-F25) Unfortunately, messages
from 192.0.2.18 weren't sent. Please contact your Internet service provider since
part of their network is on our block list. You can also refer your provider to
(By the way, RFC 5737 defines some IP address ranges that are specifically reserved for documentation.)
Looking at the troubleshooting page they mentioned, 550 OU-001 corresponds to this explanation:
Mail rejected by Windows Live Hotmail for policy reasons. If you are not an email/network admin please contact your Email/Internet Service Provider for help. For more information about this block and to request removal please go to: http://www.spamhaus.org.
So, off to Spamhaus. I went to their Blocklist Removal Center and entered the relevant IP address. This checked 3 lists (SPL, PBL, XPL); in this case, the IP address was listed in the XPL, and more specifically in the CBL. They gave quite a thorough explanation for why they'd listed this address:
This IP is infected with, or is NATting for a machine infected with a trojan downloader that's variously known as "Artro", "Win32/Renos", "Downloader.Win32.CodecPack". In some cases the trojan is being detected by McAfee as Downloader-CEW, and Microsoft knows it as TrojanDownloader:Win32/Renos.KX.
The Trojan is a "dropper". Amongst other things, it drops a module that is being used for click-fraud (so the user gets annoying ads while he is logged in to the computer).
Technical details can be found here.
This was detected by observing this IP attempting to make contact to a Artro Command and Control server, with contents unique to Artro C&C command protocols.
To find these infections, search for TCP/IP connections going to IP address 126.96.36.199, usually destination port 80 or 443, but you should look for all ports. This detection corresponds to a connection at 2011-08-10 16:48:27 (GMT - this timestamp is believed accurate to within one second).
These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer.
You will need to find and eradicate the infection before delisting the IP address.
We strongly recommend that you DO NOT simply firewall off connections to the sinkhole IP addresses given above. Those IP addresses are of sinkholes operated by malware researchers. In other words, it's a "sensor" (only) run by "the good guys". The bot "thinks" its a command and control server run by the spambot operators but it isn't. It DOES NOT actually download anything, and is not a threat. If you firewall it, your IPs will remain infected, and they will still be able to download from real command & control servers run by the bot operators.
If you do choose to firewall these IPs, PLEASE instrument your firewall to tell you which internal machine is connecting to them so that you can identify the infected machine yourself and fix it.
We are enhancing the instructions on how to find these infections, and more information will be given here as it becomes available.
Virtually all detections made by the CBL are of infections that do NOT leave any "tracks" for you to find in your mail server logs. This is even more important for the viruses described here - these detections are made on network-level detections of malicious behaviour and may NOT involve malicious email being sent.
This means: if you have port 25 blocking enabled, do not take this as indication that your port 25 blocking isn't working.
The links above may help you find this infection. You can also consult Advanced Techniques for other options and alternatives. NOTE: the Advanced Techniques link focuses on finding port 25(SMTP) traffic. With "sinkhole malware" detections such as this listing, we aren't detecting port 25 traffic, we're detecting traffic on other ports. Therefore, when reading Advanced Techniques, you will need to consider all ports, not just SMTP.
Pay very close attention: Most of these trojans have extremely poor detection rates in current Anti-Virus software. For example, Ponmocup is only detected by 3 out of 49 AV tools queried at Virus Total.
Thus: having your anti-virus software doesn't find anything doesn't prove that you're not infected.
While we regret having to say this, downloaders will generally download many different malicious payloads. Even if an Anti-Virus product finds and removes the direct threat, they will not have detected or removed the other malicious payloads. For that reason, we recommend recloning the machine - meaning: reformatting the disks on the infected machine, and re-installing all software from known-good sources.
So, the scareware program reported into base, looking for new instructions. However, CBL are monitoring one of the command centres, so they know who's infected, and they will blacklist those sites. I personally think that this is a bit of an overreaction, since the desktop PC in question wasn't sending email, and in fact it couldn't send email: the firewall blocks SMTP traffic that doesn't come from mail servers. Also, the "infection" only lasted for a few minutes. Still, those are CBL's policies for better or worse, and we have to deal with them. Checking the firewall logs, the only machine that had contacted the IP address they mentioned was the one that I already knew about. At that point, it was easy to get delisted: you just have to click a link at the bottom of the CBL webpage. It then took about an hour for this change to propagate around the internet, so that other sites would accept email from this IP address again.
So, if you come across scareware on your machine (or a machine that you're responsible for), and if you send email directly to other mail servers (rather than relaying it via your ISP's server), I recommend that you check Spamhaus afterwards. That way, you can hopefully get yourself delisted before you run into more serious problems.