Scanning your machine for exploits
There are a variety of different compromises that the CBL detects:
- mass mailing worms/viruses/trojans like Cutwail, Srizbi, Ozdok/Mega-D, Rustock, Storm
- open proxies - either accidental ones (a insecure web server configuration)
or malicious (eg: phatbot/gaobot infestations)
We're mostly going to discuss them all at once, because the techniques used
to find them overlap.
You MUST have a good general purpose anti-virus scanning package
that you keep up to date.
If you don't have one, get one. Or several.
However, much as we'd wish otherwise, anti-virus tools
are often very poor at finding infections.
The track record of current/popular
Anti-Virus software at finding current and severe threats is terrible.
In fact, recent studies have shown that "new" threats are only caught by
any of 35 of the most common A-V packages 23% of the time, and that
only improves to 50% after a month. In other words, if you were running
all of those 35 A-V products at once, a new threat
would be caught only 23% of the time by any of them.
You SHOULD have a good personal firewall. These are good
at preventing your machine being infected by network viruses, as well as stopping
outbound abuse if your machine does become infected. Hardware firewalls are superior
to software personal firewalls, because many infections will disable software
We're not going to make specific recommendations - most firewalls are pretty good.
But NONE of them are perfect, and NONE of them will find everything.
Some infections actually hunt out and turn off or "damage" your
virus scanner so that it won't find viruses.
So, run manual scans and make sure that it appears to be behaving normally.
Consider reinstalling it if it behaves in the slightest bit "wierd".
Before delving too deeply into machine scanning and investigations,
first make sure that you're looking at the right computer.
If the IP the CBL detected is a NAT firewall/gateway/router,
do NOT make assumptions as to which machine is infected.
Servers, even mail servers, are usually not the cause.
It's a good idea to download some other tools and scan with them too.
The following tools are free, and are good at
finding/eradicating the most common viruses that we see causing CBL detections:
Microsoft Malicious Software Removal Tool
This tool appears to be very good at detection and removal of many of the current
spambots that the CBL detects.
Generalized tool for finding most viruses/worms on Windows:
There are several different offerings, the beginner ones are free.
It will generally be good at finding the bits and pieces of malware
on your machine, but not necessarily remove them.
Trend Micro's HiJackThis
is very similar to Seccheck, also not for beginners.
There are online forums that you can post your reports to, and an expert
may be able to analyse the reports and make recommendations on how to fix it.
[We used to recommend the Symantec "spot removal" tools. Since there's a different
tool for each threat, we no longer think this is a practical approach when you
don't necessarily know _which_ threat it is.]
These tools should not be considered to be a substitute for
up-to-date general-purpose virus scanning/prevention tools. But
they are convenient "quick and dirty" "one-shot" tools to look
specifically for the worms that most frequently cause CBL
detections of this type.
In the adware/spyware space, security professionals tend to recommend one or more of:
SpyBot Search and Destroy (freeware)
There are two broad classes of these exploits: one we call "natural", and the other
You have installed a proxy of some sort on your machine which is misconfigured
(perhaps by default) to permit people on the Internet to relay through it to other places.
This includes web servers, proxy servers like Squid, and things like Wingate or AnalogX.
If you are running such a thing, especially as a proxy, make sure that it disallows
people outside of your internal network using it.
If you're running AnalogX, get rid of it NOW.
Not only is AnalogX "open" by default, it cannot be made secure, and
the author has refused to fix it.
Historically, AnalogX has been the leading cause of compromised machines on the
Internet until the advent of worm/trojans such as Netsky or Phatbot.
These are proxies installed by malware, such as gaobot, phatbot and various
These are often EXTREMELY difficult to find, your best bet is to use anti-virus and
anti-spyware software to find and delete them.
Note: particularly with open proxies, other DNS block lists can be invaluable in
finding out what's happening.
Go to DNSSTUFF and enter the IP into the "Spam
Look for DNSBL entries (other than CBL, XBL or SBL-XBL or "DUL"), and if there are any,
click on the details link.
Some DNSBLs (such as SORBs proxy) will tell you exactly what port the proxy is listening on.
If none of the above helps, as a last resort you will have to do full port scans and
identify suspicious "listeners".
Details on how to run and analyse port scans are well beyond the scope of this document.
These links may also be helpful:
Cyberabuse.org Proxy info
SecureWorks Advanced Proxy Detection
The CBL and abuseat.org web pages are copyright ©
2003-2017, all unauthorized copying is prohibited.
All external pages referenced are copyright by their