Posts Tagged ‘Network’

WAN IP address blacklisted by Spamhaus and CBL

Posted by Mark on Tuesday, July 19th, 2011

A customer recently experienced a virus on one of their PCs which resulted in their WAN IP address being blacklisted by Spamhaus and CBL.

The virus Trojpig was transmitting from inside the network and this was being picked up by the block list providers. The virus was cleaned from an internal server once, and the blacklist cleared. However we then received another warning saying the site had been blacklisted again.

Below is the message from the CBL website report (the 81. IP address is the customer’s external WAN address). The warning was issued due to the customer having already been delisted once previously:

WARNING: If you continually delist 81.x.x.x without fixing the problem, the CBL will eventually stop allowing the delisting of 81.x.x.x.

The second time this occurred the original server was checked and seen to be no longer infected, thus causing a problem in that we had an unknown infected machine on the company’s internal network. The question is how do you find the machine in order to remove the virus and delist the company, thus returning their email functionality?

The answer was straightforward. The company thankfully uses ISA 2006 as it’s main firewall. In ISA we can create rules to allow or deny all types of traffic and then produce filtered reports for that specific rule, which is what we did.

We created a rule in ISA for all outgoing traffic to block delivery to one of Trojpig’s known management server addresses on the internet (See CBL blacklist report below). We then configured ISA to report on the specific rule we had configured. Within 30 seconds we had the internal IP Address of the problem client which was then isolated and later fixed.

We were then able to whitelist the customer and get them back up and running in the shortest time possible.

Below is the Blacklist report from CBL:

CBL Lookup Utility:
Automated/scripted bulk lookups are forbidden. Upon detection, automated scripts will be denied access, and the source IP may be listed in the CBL.

IP Address 81.x.x.x is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.

It was last detected at 2011-06-09 06:00 GMT (+/- 30 minutes), approximately 5 hours, 30 minutes ago.

It has been relisted following a previous removal at 2011-06-06 08:33 GMT (3 days, 3 hours, 10 minutes ago)

This IP is infected with, or is NATting for a machine infected with Torpig, also known by Symantec as Anserin.

This was detected by observing this IP attempting to make contact to a Torpig Command and Control server at 91.19.44.118, with contents unique to Torpig C&C command protocols.

Torpig is a banking trojan, specializing in stealing personal information (passwords, account information, etc) from interactions with banking sites.

Torpig is normally dropped by Mebroot. Mebroot is a Rootkit that installs itself into the MBR (Master Boot Record).

With Mebroot or any other rootkit that installs itself into the MBR, you will either have to use a “MBR cleaner” or reformat the drive completely – even if you manage to remove Torpig, the MBR infection will cause it to be reinfected again.

The best way to find the machine responsible is to look for connections to the Torpig C&C server. This detection was made through a connection to 91.19.44.118, but this changes periodically. To find these infections, we suggest you search for TCP/IP connections to the range 91.19.0.0/16 and 91.20.0.0/16 (in other words: 91.19.0.0-91.20.255.255) usually destination port 80 or 443, but you should look for all ports. This detection corresponds to a connection at 2011-06-09 06:14:31 (GMT – this timestamp is believed accurate to within one second).

These infections are rated as a “severe threat” by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer.

You will need to find and eradicate the infection before delisting the IP address.

We strongly recommend that you DO NOT simply firewall off connections to the sinkhole IP addresses given above. Those IP addresses are of sinkholes operated by malware researchers. In other words, it’s a “sensor” (only) run by “the good guys”. The bot “thinks” it’s a command and control server run by the spambot operators but it isn’t. It DOES NOT actually download anything, and is not a threat. If you firewall it, your IPs will remain infected, and they will still be able to download from real command & control servers run by the bot operators.

If you do choose to firewall these IPs, PLEASE instrument your firewall to tell you which internal machine is connecting to them so that you can identify the infected machine yourself and fix it. 

We are enhancing the instructions on how to find these infections, and more information will be given here as it becomes available.

Virtually all detections made by the CBL are of infections that do NOT leave any “tracks” for you to find in your mail server logs. This is even more important for the viruses described here – these detections are made on network-level detections of malicious behaviour and may NOT involve malicious email being sent.

This means: if you have port 25 blocking enabled, do not take this as indication that your port 25 blocking isn’t working.

 The links above may help you find this infection. You can also consult Advanced Techniques for other options and alternatives.

Pay very close attention: Most of these trojans have extremely poor detection rates in current Anti-Virus software. For example, Ponmocup is only detected by 3 out of 49 AV tools queried at Virus Total.

Thus: having your anti-virus software doesn’t find anything doesn’t prove that you’re not infected.

While we regret having to say this, downloaders will generally download many different malicious payloads. Even if an Anti-Virus product finds and removes the direct threat, they will not have detected or removed the other malicious payloads. For that reason, we recommend recloning the machine – meaning: reformatting the disks on the infected machine, and re-installing all software from known-good sources.

WARNING: If you continually delist 81.137.208.239 without fixing the problem, the CBL will eventually stop allowing the delisting of 81.137.208.239.

If you have resolved the problem shown above and delisted the IP yourself, there is no need to contact us.

Tags: , , , , , , , , ,
Posted in IT Blog | Small Business Blog | No Comments »

BPOS Single Sign On client (SSO) fails to work in corporate network behind proxy servers

Posted by Graham on Wednesday, May 11th, 2011

I recently came across a problem whereby the BPOS Single Sign On client did not work in a large corporate network – however, it worked outside the network without any issues.

After some initial investigations, I found that the error in the log file was focussed to:

14/04/2011 10:53:55 Exception                SingleSignOn.ParseSSOException             

There was no endpoint listening at https://signinservice.emea.microsoftonline.com/ssoservice/UID that could accept the message.

This indicated that the problem related to authentication and proxy servers.

So I made the following changes to the “signin.exe.config” config file within the SSO;

 I added:

<system.net>
<defaultProxy enabled=”true” useDefaultCredentials=”true”>
<proxy  usesystemdefault=”True” />
</defaultProxy>
</system.net>

This got around the proxy issue by forcing authentication, and BPOS SSO then worked correctly.

Tags: , , , ,
Posted in IT Blog | Small Business Blog | No Comments »

How safe is your IT security?

Posted by Graham on Tuesday, April 21st, 2009

One of the largest challenges facing UK businesses is IT security. As a business becomes increasingly reliant on the data on its systems, it faces ever-increasing threats to the network and data integrity.

Everyone is aware of the issues in the media regarding internet usage and the security of our electronic data that we store or transmit to 3rd parties. These perceived issues are almost the same; it’s just the scale of the solution that differs and therefore the cost. So is it really an issue or are we just scare mongering?

The simple answer is both ‘yes’ and ‘no.’

Is my computer and its data at risk?
Yes it is if you don’t take reasonable steps to protect it. Would you leave your home unlocked? Of course not, but nevertheless this simple analogy holds true to computers and systems that are at risk if you ‘leave the door wide open’.

So how do I ‘shut the door’ to my PC network and lock it?
Some simple steps will effectively reduce the risk to an acceptable level – we must protect our data and limit the amount of risk, but without spending very large amounts of money. The solutions differ slightly between the home user and the business user but in this case I will focus on the business.

Using analogies again lets think of a bank. When it comes to protecting the money, banks place their highest security closest to the actual money – the bank vault door with complex alarms, together with the front of house security- a simple lockable door, a visual deterrent in the form of a security guard, some cameras and likely some toughened glass protecting the bank clerks.

This is referred to as a multi layered approach that allows and encourages normal people into the bank, but in turn discourages the robber with a difficult path to the money.

This analogy holds true to IT systems and the data they contain. IT security should be tiered with multiple levels of security from the front door to the bank vault.

So how does this really translate from IT speak into real world? Firstly email, we all use it, in fact in a recent Microsoft study it was determined that email was the number one use of a PC. So if email is important we needs to take steps to ensure the emails we receive are relevant to the business:

Spam
We need a device or a service from a provider that “cleans” our emails of spam, this device or service should also remove viruses at the same time, therefore ensuring what you receive in your inbox is relevant.

Now these systems aren’t 100% perfect, therefore any system implemented must be able to learn and needs to be simple to use/administer. We then need to extend this protection to the actual PC as another layer in the form of a suite of software that blocks and inhibits spyware, viruses, malware, spam etc.

This software needs to be adaptive to the threats and learn quickly, it also needs to talk to a central system with status information.

Our security doesn’t end there, we almost certainly have internet access at work, well if we can get out to the internet it is logical that the internet can get to us, so we must now also take steps to protect our computer network and its data from the outside electronic world:

Firewalls
Firewalls are as their name suggests are walls that stop fire/heat spreading throughout a building or vehicle. So in IT this device stops the Internet from getting inside your computer network. These devices vary considerably in features and price and one size does not fit all!

Best practise would dictate a relatively simple (fast) device is placed closest to the internet to undertake simple security blocking tasks (like the front door to the bank), then closer to the users you would place a more complex device (like the bank vault) that can undertake a very fine inspection of information flowing in.

These complex devices can also inspect/block what is going out from your network, which can be a useful productivity and security tool if your staff are surfing the Internet at potentially unsafe web sites that could contain spyware and viruses.

So these devices and ideas are the starting point of formulating an IT security plan and policy, each business is unique and each requirement and its solution is different from the next.

Are the risks real?
Yes they are. The use of professionally written, intelligent and well executed viral code is becoming widespread. These code writers use the same processes and procedures a professional application developer would use to ensure the highest quality virus.

Infections today are less openly destructive than they used to be as the writers now know that they can extract useful and valuable data that has a financial worth, like credit card details. Infected machines have allowed these people to undertake money laundering, remote access to internal database systems, allowed terrorism to be funded and other criminal activities.

These attacks are not just limited to small time ad-hoc efforts but they can be streamlined targeted affairs for a particular purpose. This type of criminal activity is rapidly becoming mainstream, the number of detected viruses over the past two years is almost equal to all the viruses detected since they started recording such information.

The approach above is typically through email or web sites but we haven’t mentioned direct attacks i.e. “Hacking”. Here people try and exploit security weaknesses in your Firewall, computers or even people, they could attack your network via a home worker whose PC is unchecked and insecure (this method was used many years ago to illegally access Microsoft’s network). They can also use a “blended” attack where they use a virus to allow backdoor access through your firewall and then use a Trojan Horse type of attack from within. There must be many security hurdles in place to thwart a determined hacker from gaining access to your network or as the military would say defence in depth.

Security is large subject matter, but to put matters in to perspective it is all about risk, what risk is your business willing to accept and there will always be some. This answer alongside your business type and what you do for a business will help determine the solution.

Published in Telegraph Business Club

Press Information:-
For more information, photography or an interview with the senior management team please call Anthea Fosti at Zeus Public Relations Limited on 01260 271429 / 07971437042 or email anthea@zeuspr.co.uk.

Tags: , , , , , , , , , , , , , , ,
Posted in IT Industry News | 1 Comment »