Scanning your machine for exploits

There are a variety of different compromises that the CBL detects:

• mass mailing worms/viruses like Netsky/MyDoom/Bagle/Yaha and others.
• mass mailing trojans or bots, often downloaded by worms, and/or associated with malicious adware or gaobot/phatbot etc.
• open proxies - either accidental ones (a insecure web server configuration) or malicious (eg: phatbot/gaobot infestations)

We're mostly going to discuss them all at once, because the techniques used to find them overlap.

You MUST have a good general purpose anti-virus scanning package that you keep up to date. If you don't have one, get one.

However, much as we'd wish otherwise, anti-virus tools are often very poor at finding infections. Of late, more than half of all spam/virus sending compromises are NOT being detected by AV tools. Worse, even when the compromise is detected, the AV tools are often unable to fix it.

You SHOULD have a good personal firewall. These are good at preventing your machine being infected by network viruses, as well as stopping outbound abuse if your machine does become infected.

We're not going to make specific recommendations - most firewalls are pretty good.

But NONE of them are perfect, and NONE of them will find everything.

Some infections actually hunt out and turn off or "damage" your virus scanner so that it won't find viruses. So, run manual scans and make sure that it appears to be behaving normally. Consider reinstalling it if it behaves in the slightest bit "wierd".

Many anti-virus tools aren't particularly good at finding infections that already exist on your machine (as opposed to stopping them in the first place). Especially "polymorphic" viruses or things downloaded by "trojan downloaders" (ie: gaobot).

Most anti-virus vendors take the position that adware and spyware packages aren't viruses, and their anti-virus products deliberately do not detect or remove them.

This leads to ridiculous situations where you can get infected by a virus, you run your anti-virus scanner with new definitions to find and eradicate it, but the anti-virus scanner will not remove the dozen different spyware/adware/trojan spambot packages that the virus downloaded.

We agree, this is just plain stupid - it's still malicious code you didn't ask for, but, that's what most vendor's policies are.

Before delving too deeply into machine scanning and investigations, first make sure that you're looking at the right computer.

If the IP the CBL detected is a NAT firewall/gateway/router, do NOT make assumptions as to which machine is infected. Servers, even mail servers, are usually not the cause. Mynetwatchman has developed a set of instructions that can help identify which machine on your NAT is emitting email it shouldn't.

It's a good idea to download some other tools and scan with them too. The following tools are free, and are good at finding/eradicating the most common viruses that we see causing CBL detections:

• Generalized tool for finding most viruses/worms on Windows: MyNetWatchman Seccheck
• Netsky Removal Tool (Symantec)
• MyDoom Removal Tool (Symantec)
• Beagle Removal Tool (Symantec)
• Malicious Software Removal Tool (just released by Microsoft). This is designed to find and remove many things, including Gaobot, MyDoom, Nachi and many others.

These tools should not be considered to be a substitute for up-to-date general-purpose virus scanning/prevention tools. But they are convenient "quick and dirty" "one-shot" tools to look specifically for the worms that most frequently cause CBL detections of this type.

In the adware/spyware space, security professionals tend to recommend one or more of: SpyBot Search and Destroy (freeware) Adaware (commercial software from LavaSoft) and AntiSpyware (free beta release, just released by Microsoft).

Open Proxies/Trojans

There are two broad classes of these exploits: one we call "natural", and the other "artificial".

Natural Proxies:

You have installed a proxy of some sort on your machine which is misconfigured (perhaps by default) to permit people on the Internet to relay through it to other places. This includes web servers, proxy servers like Squid, and things like Wingate or AnalogX.

If you are running such a thing, especially as a proxy, make sure that it disallows people outside of your internal network using it.

If you're running AnalogX, get rid of it NOW. Not only is AnalogX "open" by default, it cannot be made secure, and the author has refused to fix it. Historically, AnalogX has been the leading cause of compromised machines on the Internet until the advent of worm/trojans such as Netsky or Phatbot.

Artificial Proxies/Trojans:

These are proxies installed by malware, such as gaobot, phatbot and various downloader trojans.

These are often EXTREMELY difficult to find, your best bet is to use anti-virus and anti-spyware software to find and delete them.

Note: particularly with open proxies, other DNS block lists can be invaluable in finding out what's happening. Go to DNSSTUFF and enter the IP into the "Spam Database Lookup". Look for DNSBL entries (other than CBL, XBL or SBL-XBL or "DUL"), and if there are any, click on the details link. Some DNSBLs (such as SORBs proxy) will tell you exactly what port the proxy is listening on.

If none of the above helps, as a last resort you will have to do full port scans and identify suspicious "listeners". Details on how to run and analyse port scans are well beyond the scope of this document.

These links may also be helpful: Cyberabuse.org Proxy info Advanced Proxy Detection

Hit your browser BACK button to go back to the removal page