Scanning your machine for exploits

There are a variety of different compromises that the CBL detects:

  • mass mailing worms/viruses/trojans like Cutwail, Srizbi, Ozdok/Mega-D, Rustock, Storm and others.
  • open proxies - either accidental ones (a insecure web server configuration) or malicious (eg: phatbot/gaobot infestations)

We're mostly going to discuss them all at once, because the techniques used to find them overlap.

You MUST have a good general purpose anti-virus scanning package that you keep up to date. If you don't have one, get one. Or several.

However, much as we'd wish otherwise, anti-virus tools are often very poor at finding infections.

The track record of current/popular Anti-Virus software at finding current and severe threats is terrible. In fact, recent studies have shown that "new" threats are only caught by any of 35 of the most common A-V packages 23% of the time, and that only improves to 50% after a month. In other words, if you were running all of those 35 A-V products at once, a new threat would be caught only 23% of the time by any of them.

You SHOULD have a good personal firewall. These are good at preventing your machine being infected by network viruses, as well as stopping outbound abuse if your machine does become infected. Hardware firewalls are superior to software personal firewalls, because many infections will disable software firewalls.

We're not going to make specific recommendations - most firewalls are pretty good.

But NONE of them are perfect, and NONE of them will find everything.

Some infections actually hunt out and turn off or "damage" your virus scanner so that it won't find viruses. So, run manual scans and make sure that it appears to be behaving normally. Consider reinstalling it if it behaves in the slightest bit "wierd".

Before delving too deeply into machine scanning and investigations, first make sure that you're looking at the right computer.

If the IP the CBL detected is a NAT firewall/gateway/router, do NOT make assumptions as to which machine is infected. Servers, even mail servers, are usually not the cause.

It's a good idea to download some other tools and scan with them too. The following tools are free, and are good at finding/eradicating the most common viruses that we see causing CBL detections:

  • Microsoft Malicious Software Removal Tool This tool appears to be very good at detection and removal of many of the current spambots that the CBL detects.
  • Generalized tool for finding most viruses/worms on Windows: MyNetWatchman Seccheck. There are several different offerings, the beginner ones are free. It will generally be good at finding the bits and pieces of malware on your machine, but not necessarily remove them.
  • Trend Micro's HiJackThis is very similar to Seccheck, also not for beginners. There are online forums that you can post your reports to, and an expert may be able to analyse the reports and make recommendations on how to fix it.

[We used to recommend the Symantec "spot removal" tools. Since there's a different tool for each threat, we no longer think this is a practical approach when you don't necessarily know _which_ threat it is.]

These tools should not be considered to be a substitute for up-to-date general-purpose virus scanning/prevention tools. But they are convenient "quick and dirty" "one-shot" tools to look specifically for the worms that most frequently cause CBL detections of this type.

In the adware/spyware space, security professionals tend to recommend one or more of: SpyBot Search and Destroy (freeware) Adaware (commercial) and AntiSpyware by Microsoft.

Open Proxies/Trojans

There are two broad classes of these exploits: one we call "natural", and the other "artificial".

Natural Proxies:

You have installed a proxy of some sort on your machine which is misconfigured (perhaps by default) to permit people on the Internet to relay through it to other places. This includes web servers, proxy servers like Squid, and things like Wingate or AnalogX.

If you are running such a thing, especially as a proxy, make sure that it disallows people outside of your internal network using it.

If you're running AnalogX, get rid of it NOW. Not only is AnalogX "open" by default, it cannot be made secure, and the author has refused to fix it. Historically, AnalogX has been the leading cause of compromised machines on the Internet until the advent of worm/trojans such as Netsky or Phatbot.

Artificial Proxies/Trojans:

These are proxies installed by malware, such as gaobot, phatbot and various downloader trojans.

These are often EXTREMELY difficult to find, your best bet is to use anti-virus and anti-spyware software to find and delete them.

Note: particularly with open proxies, other DNS block lists can be invaluable in finding out what's happening. Go to DNSSTUFF and enter the IP into the "Spam Database Lookup". Look for DNSBL entries (other than CBL, XBL or SBL-XBL or "DUL"), and if there are any, click on the details link. Some DNSBLs (such as SORBs proxy) will tell you exactly what port the proxy is listening on.

If none of the above helps, as a last resort you will have to do full port scans and identify suspicious "listeners". Details on how to run and analyse port scans are well beyond the scope of this document.

These links may also be helpful: Proxy info SecureWorks Advanced Proxy Detection