A good process for detecting email spam bots?

[nelsonm]

hi all,

A client of mine that believes they are a victim of a spam bot infection and wants to know what do do. After doing some research, i'm still wanting as to know what to do.

I told them:

1. change your email account password.

2. look in the sent folder to see if there is a large number of messages that have been sent out recently on their behalf.

3. we can run our usual disinfection regiment against their pc and hope for the best.

4. rebuild their pc to insure it's infection free.

Other that those options, are there any other processes or apps we can use to detect spam bots?

thanks.

 

[4ycr]

wireshark and see their networking activity.

If they are bots they might not use their email program at all so it will not show up there.

Also if it was using a lot of network their ISP might send them an email telling them about it. I have seen one ISP do this which threatened them with being cut off if they did not fix it.

 

[nelsonm]

ok...

say i use Wireshark and there is higher than normal activity... I'll have to see if wireshark also displays the process that contributing to the high activity.

Other than that, your lack of options indicate there is not much you can do other than disinfect or rebuild. Either way, it looks like it could get expensive for the client.

Also, the client now thinks the infection may have started on her iphone. She uses msn/hotmail email service.

One more thing to add to the mix, these are live retail business systems. So rebuilding will be the last option.

 

[altrenda]

Is it really an infection, or has her email been spoofed?

 

[Dameize]

its probably a botnet with a worm built in for email spread. chances are its FUD and it transmits via usb and other ways so it will of spread by now for sure.. infections like this never have a 'happy ending' and need to be swiftly exterminated.

As ive stressed before in other threads a large majority of malware is undetected because it is privately coded.. hell.. you can google it and go and buy a FUD botnet with email spread, msn spread etc for like $50 and im not joking either.

You get kids with money to burn and they mess with things like this.

I doubt her email is being spoofed but its possible.

 

[nelsonm]

ok, but no one have answered the question about what disinfection apps are out there we can use as a line of defense other than rebuilding the pc.

Anyone...

 

[Xander]

2. look in the sent folder to see if there is a large number of messages that have been sent out recently on their behalf.

You should know that spambots don't actually use their email software. You won't see them creating messages in the middle of the night and clicking Send.

 

[Dameize]

You should know that spambots don't actually use their email software. You won't see them creating messages in the middle of the night and clicking Send.

lmao. yeah they run in the background as ive mentioned about malware in previous threads. It probably will hook onto emails being sent by the user to and will probably steal the email contacts.

In regards to preventing it I would go implement some basic security such as a blocklist (peerblock is a good place to start) it will block known bad IP addresses and has a huge list and custom lists can be used. Also a firewall.

You can have all the security in the world though and have it toppled in seconds if the user is incompetent. Look at Iran and their nuclear reactor it got messed up because of a usb infection lol. Its exactly the same with these businesses your talking about you need to make sure they are aware of these things and dont access personal things at work.

You can stop known malware with your general tools and like I said blocklists and a firewall should take care of most others. No network will ever be 100% secure though. You could also block the port it sends mail from by default and use something different for theirs.

 

[mraikes]

hi all,

A client of mine that believes they are a victim of a spam bot infection ... SNIP...

Is it really an infection, or has her email been spoofed?

I wondered this as well - actual spam-bot type infections are so rare for me that I can't even recall the last one. Spoofing is much more common - but few users are even aware of such a thing.

 

[nelsonm]

ok, thanks guys. You all have been very helpful.

 

[jeepjkdan]

Untangle bridge will stop it and show which pc is infected

 

[YeOldeStonecat]

hi all,

A client of mine that believes they are a victim of a spam bot infection and wants to know what do do. After doing some research, i'm still wanting as to know what to do.

I told them:

1. change your email account password.

2. look in the sent folder to see if there is a large number of messages that have been sent out recently on their behalf.

3. we can run our usual disinfection regiment against their pc and hope for the best.

4. rebuild their pc to insure it's infection free.

Other that those options, are there any other processes or apps we can use to detect spam bots?

thanks.

Ensure they change their e-mail password from a known clean/healthy PC...not the possibly infected one. Else their password change will just be caught by the trojan.

Monitor the suspect PC with a good firewall. We have the full version of Untangle at our shop, their is a module on it called Bandwidth Control which lets me see details of a computers traffic down to the gnats ass. If that thing is belching out SMTP, I'll see it..and see where it's trying to go. Plenty of other monitoring tools out there too.

Back in the Win9X days worms would often hijack Outlook Express and you'd see a huge sent items folder, but since then the worms/trojans come with their own SMTP engine often working on an alternate port...so you won't see footprints left in the local e-mail client.

Run your usual bunch of malware cleaning tools on the machine, they usually catch it and clean it up fine.