Finding A Mass-mailer Virus On The Network

[Crushdepth]

I recently discovered that my work's main IP number (a firewall/NAT gateway) is on the Composite Block List (CBL). According to the CBL FAQ, this is most likely because a computer on our LAN has some kind of mass-mailer virus. Trouble is, we can't find one.

All our PCs are running Avira, scheduled scans and firewalls. Our IT guy has manually scanned them all twice now, and not found the culprit. So I delisted us from the CBL, but a few days later we have been added again, so the problem is still with us. I've looked in our firewall logs, and there are no suspicious outgoing SMTP connections on port 25 (and we use Google Apps, so our 'real' email goes out over different ports).

I really don't want to go around and manually tear every computer apart myself. So I'm wondering if there is a way to install some kind of network sensor that will record suspicious connections or attempted infections inside our LAN? Could a virtual honeypot achieve this? Anyone got such a thing running?

[cdnvic]

Do you use MAC address filtering to make sure people aren't plugging in their own infected laptops onto the network?

[Crushdepth]

We don't use MAC filtering but we do use WPA encryption. Unfortunately staff generally hand out the key to visitors, some of whom definitely have infected laptops. To solve the problem, I want to set up a separate "guest" wireless network on a different IP (we have a few available) but our firewall/gateway doesn't have a spare network card. To be honest our network runs on the kind of junk normal people throw away.

Management do not understand or support IT security, they just expect things to work regardless, and I have to 'live with it'.

Edited July 22, 2009 by Crushdepth

[webfact]

Don't know if it will actually help to solve this issue but maybe worth to take a look at

Worms Mass Mailers

[verydumbubba]

It is probably a visitor with a bad O/S or thumbdrive.

Bubba

[Crushdepth]

Thumb drives are a curse and probably our main problem as far as viruses and trojans go. However, Avira is pretty good at picking them up, and autorun has been disabled on all machines for removable drives. But yeah, could be an issue. However, lately not many visitors, so I have a feeling that a staff computer is infected with something.

Webfact: The link is quite relevant and interesting, thanks. One of my frustrations is that the CBL don't tell you what they think your system is infected with, and refuse to publish their listing criteria.

[webfact]

STINGER

Please have a look

BTW the issue could be initiated by a P2P program too

[verydumbubba]

M$ Viruses have more hype than a bad quack. Employees also have a different take on crashing the net than do owners

If there is not any real damage, then let it be - but clamp down on the kiddies in the orifice.

Bubba

http://cbl.abuseat.org/faq.html

[surface]

Simple solution is to block port 25. You should be blocking all outbound ports by default for security reasons, especially ports like 25. And since you don't have an SMTP server onsite, it's not an open relay issue. Doesn't seem like you need port 25 for any computers/servers since you use Google, which also means being on the CBL won't disrupt email communication for you.

[ozzydave]

there are a couple of reasons why you service might be banned;

A. the whole range is blocked because it is a DIALUP range (even if it is ADSL or cable - particularly if it is NOT a business grade service)

B. there has been a complaint raised against your IP address block (maybe NOT your address but one in the block)

C. there has been a complaint raised against your specific IP address

Your need determine which of these is the case.

If it is C. then restrict outbound email to the address of your email server ONLY, and optionally run some email anti-spam platform on outbound (& inbound) email. The CBL administration will likely want some sort of guarrantee that the issue has been resolved before releasing the IP address from the list. This may involve a statment from an external IT / security support company

If B then you will need to address this with your ISP

If A then you will need to get a non DIALUP IP address from your ISP